ArticlePDF Available

Practical attacks against WEP and WPA

Authors:

Abstract and Figures

In this paper, we describe two attacks on IEEE 802.11 based wireless LANs. The first attack is an improved key recovery attack on WEP, which reduces the average number of packets an attacker has to intercept to recover the secret key. The second attack is (according to our knowledge) the first practical attack on WPA secured wireless networks, besides launching a dictionary attack when a weak pre-shared key (PSK) is used. The attack works if the network is using TKIP to encrypt the traffic. An attacker, who has about 12-15 minutes access to the network is then able to decrypt an ARP request or response and send 7 packets with custom content to network.
Content may be subject to copyright.
Practical attacks against
WEP and WPA
Martin Beck, TU-Dresden, Germany
<hirte@aircrack-ng.org>
Erik Tews, TU-Darmstadt, Germany
<e tews@cdc.informatik.tu-darmstadt.de>
November 8, 2008
In this paper, we describe two attacks on IEEE 802.11 based wireless
LANs[2]. The first attack is an improved key recovery attack on WEP,
which reduces the average number of packets an attacker has to intercept
to recover the secret key. The second attack is (according to our know-
ledge) the first practical attack on WPA secured wireless networks, besides
launching a dictionary attack when a weak pre shared key (PSK) is used.
The attack works if the network is using TKIP to encrypt the traffic. An
attacker, who has about 12-15 minutes access to the network is then able
to decrypt an ARP request or response and send 7 packets with custom
content to network.
1 Introduction
IEEE 802.11[2] is a standard family for wireless networks. Such networks can be found
in home, office, and enterprise environments and are quite popular today. If sensitive
informations are transmitted over a wireless network, privacy and integrity is a concern
and must be taken care of.
The first version of the IEEE 802.11 standard supported a basic mechanism for
protecting such networks named Wired Equivalent Privacy (WEP). WEP requires all
clients and access points in the network to share up to four different secret symmetric
keys, which is clearly not optimal for a larger installation where users change frequently.
Most installations just use a single secret key named root key. WEP has some major
design flaws and was completely broken in 2001[4,13] by Fluhrer, Mantin, and Shamir.
They showed that an attacker can recover the secret key of the network with an average
consumer laptop in 1-2 hours. More advanced attacks were published in the last years
making it possible to recover the secret key of the network in less than 60 seconds[15].
1
To fix the problems of WEP, a new standard named Wi-Fi Protected Access (WPA)
was released in 2003, now part of the IEEE 802.11 specifications[2].
The structure of this paper is as follows: In Section 2, we give an introduction to the
technical details of WEP and WPA and introduce the notation used in the rest of this
paper. In Section 3, we give an overview over a selected number of attacks on WEP.
In Section 4, we present a new attack on WEP, which reduces the number of packets
an attacker needs to intercept to recover the secret root key compared to previous
attacks. In Section 5, we present a new attack on WPA, which allows an attacker,
who has about 12-15 minutes access to a WPA protected network to send 7 packets to
the network with chosen payload and decrypt a single ARP[11] packet. According to
our knowledge, this is the first practical attack on WPA protected networks, besides
launching a dictionary attack against a weakly chosen pre shared key.
2 Notation
Numbers are always written in the decimal notation, for example 12 is the number
twelve. The signs + and ·are addition and multiplication. (Z/nZ)+is the additive
group of the numbers 0 to n1, where all additions are done mod n. When operations
are done in (Z/nZ)+, we write a+bas a short form of a+bmod n. For arrays, we
use the [·] notation as used in many programming languages like Cor Java. The
first element in the array Sis S[0]. Permutations are written as arrays too. If Sis
a permutation, S1is the inverse permutation. For example, if S[i] = jholds, then
S1[j] = iholds. When two arrays Aand Bare concatenated to a new array C, we
write C=A||B.F2is the finite field with just the two elements 0 and 1. F2[X] is
the ring of polynomials over F2. When specifying estimations for a success probability
or similar things, we use the sign to note that a formula or a value is only a good
approximation, but not absolutely accurate.
Because WEP is mostly based on the RC4 stream cipher[12], we need to introduce
a notation for analyzing the RC4 stream cipher. RC4 consists of two algorithms, the
RC4-KSA, which transforms a key of length 1 to 256 bytes into an initial permutation
Sof the numbers 0 to 255. The internal state of RC4 consists of this permutation S
and two numbers iand jused as pointers to elements of S. The RC4-PRGA generates
a single byte of keystream from such a state and then updates the state.
To analyze the cipher, we will write Skand jkfor the state of Sand j, after exactly
krounds of the loop starting in line 5 in Listing 1 have been executed. To make the
paper more readable, we write nfor the constant value 256. Accordingly, we write
Sk+nand jk+nfor the state of Sand j, after the state was initialized by the algorithm
in Listing 1 and exactly kbytes of output have been produced by the algorithm in
Listing 2. When a key Kis used for RC4 and a keystream Xof arbitrary length is
produced, we write X= RC4(K). Please note that an attacker who knows the first k
bytes of an RC4 key Kalso knows Skand jk.
In a WEP protected network, all stations usually share a single symmetric key Rk
named root key. A single packet can easily be lost in an IEEE 802.11 network due to a
transmission error, so WEP needs to encrypt all packets independently. Because RC4
does not support an initialization vector by itself, WEP generates a per packet key
2
Listing 1: RC4-KSA
1for i0to 255 do
2 S[ i ] i
3end
4 j 0
5for i0to 255 do
6 j j+S[i]+K[i mod len(K)] mod 256
7 swap(S, i, j )
8end
9 i 0
10 j 0
Listing 2: RC4-PRGA
1 i i + 1 mod 256
2 j j + S[i] mod 256
3 swap(S, i , j )
4 return S[ S[ i ] + S[j] mod 256 ]
for every packet. A three byte initialization vector IV is chosen and prepended to the
root key Rk which results in the per packet key K=IV||Rk. A keystream X= RC4(K)
is generated from K. To protect the integrity of the transmitted data, a 32 bit long
CRC32 checksum named ICV is appended to the data. The resulting plaintext is
then encrypted by XORing the plaintext (including the CRC32 checksum) with the
generated keystream. The ciphertext together with the corresponding unencrypted
initialization vector IV is then send over the air.
WEP originally only specified a 40 bit secret key Rk, but most vendors implemented
an additional mode where Rk had a length of 104 bits. The length of the corresponding
per packet keys Kwhere 64 or 128 bit, and these variants were mostly marketed as 64
or 128 bit WEP. We restrict ourselves to the 104 bit variant, but our attacks can easily
be adopted for networks with different key lengths with only minor modifications.
3 Previous attacks on WEP
A number of attacks on WEP have been published in the past.
3.1 The FMS attack
Fluhrer, Mantin and Shamir published[4,13] the first key recovery attack on WEP in
2001. Their attack is based on the following ideas: An attacker who listens passively to
the traffic of a WEP protected network can record a lot of encrypted packets including
the initialization vectors used for these packets. Because the first bytes of the plaintext
3
of most packets are easily predictable, the attacker is able to recover the first bytes of
the keystreams used to encrypt these packets. The initialization vector is transmitted
unprotected with the packets, so the attacker initially also knows the first 3 bytes of
the per packet key for all packets. All following bytes of the per packet key are the
same for all packets, but are initially unknown to the attacker.
Lets assume that an attacker knows the first lbytes of an RC4 key used to generate
a keystream X. He can therefore simulate the first lsteps of the RC4-KSA and knows
Sland jl. In the next step of the RC4-KSA, jl+1 =jl+K[l] + Sl[l] and Sl[l] is
swapped with Sl[jl+1]. If the attacker could reveal Sl+1[l], he could easily recover K[l]
by calculating the difference S1
l[Sl+1[l]] jlSl[l]. Fluhrer, Mantin, and Shamir used
the following trick to reveal this value:
Assume that the following conditions hold after the first lsteps of the RC4-KSA:
1. Sl[1] < l
2. Sl[1] + Sl[Sl[1]] = l
3. S1
l[X[0]] 6= 1
4. S1
l[X[0]] 6=Sl[1]
In the next step of the RC4-KSA, a value k=Sl[jl+1] will be swapped to Sl+1[l]. If
jchanges randomly for the rest of the RC4-KSA, the values S[1],S[S[1]], and S[l] won’t
be altered with a probability of approximately 1
e3during the remaining RC4-KSA.
When the first byte of output is produced by the RC4-PRGA, jwill take the value
Sn[1] and Sn[1] and Sn[j] are swapped. After the swap, S[1] + S[S[1]] = lstill holds
and the first bye of output of the RC4-PRGA X[0] will be S[l]. If conditions 3 or 4
wouldn’t hold, this would indicate that S[1] or S[S[1]] has been altered. In a nutshell,
if these four conditions hold, the fuction:
Ffms(K[0],...,K[l1],X[0]) = S1
l[X[0]] jlSl[l] (1)
will take the value of K[l] with a probability of about 1
e35%. We will refer to
such a set of conditions together with such a function as a correlation for RC4. Flurer,
Mantin, and Shamir referred to these conditions (or at least to the first two conditions)
as the resolved condition.
A full key recovery attack on WEP can be built using this correlation. An at-
tacker captures packets from a WEP protected network and recovers the first byte of
keystream used to encrypt these packets by guessing the first byte of plaintext. There
are also various active techniques to generate traffic on a WEP protected network
even without the key, which allow the recovery of more than the first 1000 bytes of
keystream per packet[1]. He selects the packets where the resolved condition holds
and calculates Ffms for these packets. Each result of Ff ms can be seen as a vote for
the value of Rk[0]. After enough packets have been captured, the attacker makes a
decision for the value of Rk[0] based on the number of votes geberated by Ffms . If the
decision was correct, the attacker knows the first l= 4 bytes of all per packet keys and
can continue with Rk[1]. Please note that all packets need to be reevaluated wether the
resolved condition holds, because this check depends on the value of Rk[0]. After all
4
bytes of Rk have been determined, the attacker checks the resulting key for correctness
using a number of trial decryptions. If the key is correct, the attacker has succeeded.
If the resulting key is incorrect, the attacker looks for a decision for Rk[i], were an
alternative value for Rk[i] was also very likely. The attacker corrects the decision in
the decision tree at depth iand continues the attack with the alternate decision.
Although the 5% success probability of Ffms looks impressive, the attack needs
4,000,000 to 6,000,000 packets to succeed with a success probability of at least 50%,
depending on the exact environment and implementation[14,13]. The reason for this
is that the resolved condition holds only for a small amount of randomly chosen ini-
tialization vectors.
3.2 The KoreK attack
In 2004, a person under the pseudonym KoreK posted[9,3] an implementation of
an advanced WEP cracking tool in an internet forum. KoreK used 16 additional
correlations between the first lbytes of an RC4 key, the first two bytes of the generated
keystream, and the next keybyte K[l]. Most of these correlations have been found by
KoreK him self, a few had been discussed[5] in public before. KoreK assigned names
like A u15 or A s13 to these attacks, the original FMS attack is called A s5 1 here.
Nearly all correlations found by KoreK use the approach that the first or second
byte of the keystream reveals the value of jl+1 under some conditions, if 2-4 values
in Shave a special constellation and are not changed during the remaining RC4-KSA
after step l+ 1. An interesting exception is the A neg correlation, which doesn’t vote
for a certain value of K[l]. Instead a value can be excluded from the list of possible
candidates for K[l], which can be seen as a negative vote for K[l].
The overall attack structure is the same decision tree based approach as for the
FMS attack. The number of captured packets is reduced to about 700,000 for 50%
success probability[14]. Again, the exact numbers depend on the exact environment
and the implementation and parameters used for the attack. One important factor is if
the initialization vectors are generated by a PRNG algorithm or if they are generated
sequentially by a counter.
3.3 The PTW attack
In 2007, a new generation of WEP attacks was published[15,14] by Tews, Weinmann,
and Pyshkin. Their attack introduced two new concepts:
1. All previous correlations used required 2-4 values in Snot to change during the
remaining RC4-KSA. They also had a lot of preconditions which need to hold to
use the correlation. Therefore, only a small number of packets could be used to
vote for a certain keybyte.
In 2005, Klein showed[7] that lX[l1] takes the value of S[l] with a probability
of 2
n. If Sl[l] remains unchanged until X[l1] has been produced, the function:
FKlein (K[0],...,K[l1],X[l1]) = S1
l[lX[l1]] (Sl[l] + jl) (2)
5
takes the value of K[l] with a probability of 2
n. This result is also known as the
Jenkins correlation[6]. Sl[l] remains unchanged with a probability of approxi-
mately 1
e. If Sl[l] is modified before X[l1] is produced, FK lein takes a more or
less random value. In total, this results in the following probability for FKlein
taking the value of K[l]:
1
e2
n+11
e1
n1.37
n(3)
This correlation makes no requirements on the internal state of RC4 or the
keystream, so that every packet can be used.
2. The second new concept is a change in the attack structure. Until now, every
key recovery attack had a decision tree based structure and some kind of best
first search strategy was used to determine the key byte per byte.
Assume than an attacker knows the first lbytes of an RC4 key and manages to
recover k=Sl+2[l+ 1] instead of Sl+1[l]. Now S1
l+1[k]Sl+1 [l+ 1] Sl[l]jl=
K[l]+K[l+1] holds and an attacker would have recovered the value of K[l]+K[l+1].
With a very high probability S1
l+1[k] = S1
l[k] and Sl+1[l+ 1] = Sl[l+ 1] holds
and S1
l[k]Sl+1[l+ 1] Sl[l]jltakes the value of K[l] + K[l+ 1].
We will call such correlations between the first lbytes of an RC4 key, the gener-
ated keystream, and the next ibytes of the key a multibyte correlation and write
σifor the sum Pi
k=0 Rk[k]. Tews, Weinmann, and Pyshkin modified FKlein to
vote for the sum of the next mkeybytes for every m∈ {1,...,13}. This results
in the following functions:
Fptwm(K[0],...,K[l1],X[l+m2])
=S1
l[l+m1X[l+m2]] l+m1
X
a=l
Sl[a]!(4)
which only depend on the first 3 bytes of the per packet key (IV) and vote for σi
instead of Rk[i].
The PTW attack now works as follows: First an attacker captures packets and
recovers their keystreams as for the FMS and KoreK attack. The attacker knows
the first l= 3 bytes of all per packets keys. He now evalues Fptwmfor every
packet and every m∈ {1,...,13}and gets votes for σ0. . . σ12. After all packets
have been processed, the resulting root key is calculated using Rk[0] = σ0and
Rk[i] = σiσi1. If the key is correct, an alternative decision is made for one
of the values σiand the key is updated using just 12 single subtractions without
the need to reevaluate all packets.
The attack needs just about 35,000 to 40,000 packets[14,15] for 50% success prob-
ability, which can be collected in less than 60 seconds on a fast network. Only a few
seconds of CPU time is needed to execute the attack.
6
Some modifications of the PTW attack have been proposed[16,10] which reduce the
number of packets needed or allow the usage of the PTW attack in some special cases
where the recovery of full key streams is difficult.
3.4 The Chopchop attack
The chopchop attack[8,14] allows an attacker to interactively decrypt the last mbytes
of plaintext of an encrypted packet by sending m·128 packets in average to the network.
The attack does not reveal the root key and is not based on any special properties of
the RC4 stream cipher.
We can summarize the chopchop attack as follows: Before encryption, a four byte
CRC32 checksum named ICV is appended to the data of the packet. The packet
with the trailing checksum Pcan be represented as an element of the polynomial ring
F2[X]. If the checksum is correct, Pmod PCRC =PON E holds, where PON E is a
known polynomial and PCRC is a known polynomial too, which is irreducible. We can
write Pas QX8+R. Here Ris the last byte of Pand Qare all remaining bytes.
When the (encrypted) packet is truncated by one byte, Qwill most probably have an
incorrect checksum.
Assume that the attacker knows R. Adding PON E + (X8)1(PON E +R) to Q
corrects the checksum again. If Rwas incorrect here, the resulting packet will have an
incorrect checksum. This addition can also be done on the encrypted packet.
Most access points can be used to distinguish between encrypted packets with correct
and incorrect checksum. For example if a client is not authenticated, and an access
point receives a packet from this client, the access point will generate an error message.
Packets with an incorrect checksum are silently discarded.
An attacker can use this to interactively decrypt packets. The attacker selects a
captured packet for decryption. He truncates the packet by one byte, guesses R,
corrects the checksum and sends the packet to the access point to find out if his guess
for Rwas correct. If the guess for Rwas correct, the attacker now knows the last byte
of plaintext and can continue with the second last byte. If the guess war incorrect,
he makes another different guess for R. After at most 256 guesses and in average 128
guesses, he has guessed the correct value of R.
4 An improved attack on WEP
Unfortunately, after the release of the PTW attack, only little attention was drawn
towards the old KoreK attack. Compared to the PTW attack, the KoreK attack has
the advantage that it only needs the first two bytes of the keystreams of all captured
packets. Usually, the recovery of the first two bytes of keystream is much easier than
recovering the first 15 or 31 bytes. A pleasant exception is the work done by Vaudenay
and Vuagnoux[16], who showed that the correlation used in the FMS attack can also
be rewritten to vote for σiinstead of Rk[i]. This correlation is one of the 17 correlations
used in the KoreK attack.
7
Figure 1: Success rate of the new WEP attack
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 5.5 6
probability of success
number of sessions collected / 10,000
Random IV generation
Counter mode IV generation
To improve the performance of the PTW attack, we started rewriting all correlations
used by KoreK to vote for σiinstead of Rk[i]. Surprisingly, we where able to successfully
modify almost all correlations used by KoreK, with a few exceptions:
The correlations A 4 s13,A 4 u5 1, and A 4 u5 2 in the original KoreK attack can
only be used to vote for Rk[1] when Rk[0] is known. Using these correlations for Rk[2],
Rk[3] or any other keybyte besides Rk[1] has not been implemented by KoreK. The
modification of these correlations results in new correlations which vote only for σ1,
even with Rk[0] or σ0being unknown.
KoreK assigned labels with comments to some correlations. The correlation A u5 3
is the only correlation labeled with the comment no good. When we tried to modify
A u5 3 to vote for σi, the resulting correlation did not produce any useful results.
The correlation A neg was used by KoreK to exclude values from being Rk[i]. The
modification of this correlation results in a new correlation which can exclude values
from being σiwith a high probability. To implement this additional feature, a negative
weight is assigned to this correlation.
Another interesting extension of the PTW attack was suggested by [16] and [10]
independently. First they showed that it is possible to get four times more votes for
σ13 than for all other values of σi. This makes it much easier for an attacker to decide
on the value of σ12 than all other values of σi. Secondly, they found out, that the
correlation used in the PTW attack can easily be modified to vote for the value of
σ12 +σi, even when the value of σ12 is unknown at this moment. After the attacker
has decided on the value of σ12, he can get additional votes for each σi, by subtracting
the value of σ12 from these votes. To use these additional correlations, an attacker
needs the keystream bytes X[15] to X[30], which can sometimes be recovered too.
Using all these ideas, we modified an implementation of the PTW attack1resulting
1deleted obvious reference for blind reviewing, the final paper will contain a reference to this imple-
mentation
8
in a new WEP cracking tool, which clearly needs fewer packets than previous imple-
mentations of the PTW attack. We decided to use the same key ranking strategy as
used for the original PTW attack. We limited the number of keys the implementation
tests before failing to 220 . The same limit has been used by previous publications
about WEP attacks, so that it should be easier to compare our attack to previous
attacks.
Figure 1 shows the success rate of our implementation. For a 50% success rate, the
attack only needs about 24,200 packets, compared to 32,700 for the VX attack[16] and
35,000 to 40,000 for various implementations of the PTW attack [15,14].
5 Breaking WPA
Our second contribution is an attack on WPA[2]. WPA standardizes two modes how
payload can be protected during transmission, Temporal Key Integrity Protocol (TKIP)
and (AES-)CCMP. For this paper, we will concentrate on TKIP. TKIP is a slightly
modified version of WEP. TKIP implements a more sophisticated key mixing function
for mixing a session key with an initialization vector for each packet. This prevents all
currently known related key attacks because every byte of the per packet key depends
on every byte of the session key and the initialization vector. Additionally, a 64
bit Message Integrity Check (MIC) named MICHAEL[2] is included in every packet
to prevent attacks on the weak CRC32 integrity protection mechanism known from
WEP. To prevent simple replay attacks, a sequence counter (TSC) is used which allows
packets only to arrive in order at the receiver.
TKIP was designed so that legacy hardware only supporting WEP should be firmware
or driver upgradeable to TKIP. Therefore, the RC4 stream cipher is still used and the
ICV is still included in every packet.
We will now show that it is still possible to decrypt traffic in a chopchop like manner
and to send packets with a custom content: Assume that the following conditions are
met: The network being attacked is using TKIP for client to access point communi-
cation. The IPv4 protocol is used with an IP range where most bytes of the addresses
are known to the attacker (for example 192.168.0.X). A long re-keying interval is used
for TKIP, for example 3600 seconds. The network supports the IEEE 802.11e Quality
of Service features[2] which allow 8 different channels (named TID - traffic identifier)
for different data flows and a station is currently connected to the network.
These assumptions are quite realistic for most networks currently deployed in the
wild. To attack such a network, an attacker first captures traffic, until he has found an
encrypted ARP request[11] or response. Such packets can easily be detected because
of the characteristic length. Additionally, the source and destination ethernet address
is not protected by WEP and TKIP and requests are always sent to the broadcast
address of the network. Most of the plaintext of this packet is known to the attacker,
except the last byte of the source and destination IP addresses, the 8 byte MICHAEL
MIC and the 4 byte ICV checksum. MIC and ICV form the last 12 bytes of the
plaintext.
An attacker can now launch a modified chochop attack as against a WEP network
to decrypt the unknown plaintext bytes. TKIP mainly contains two countermeasures
against chopchop like attacks:
9
If a packet with an incorrect ICV value is received by a client, a transmission
error is assumed and the resulting packet is silently discarded. If the ICV value
is correct, but the MIC verification fails, an attack is assumed and the access
point is notified by sending a MIC failure report frame. If more than 2 MIC
verification failures occur in less than 60 seconds, the communication is shut
down, and all keys are renegotiated after a 60 second penalty period.
When a packet has been received correctly, the TSC counter for the channel
it was received on is updated. If a packet with a lower value than the current
counter is received (the packet is received out of order), the packet is discarded.
Nevertheless, it is still possible to execute a chopchop attack. An attacker needs to
execute the attack on a different QoS channel than the packet was originally received
on. Usually, there will be a channel with no or low traffic where the TSC counter is
still lower. If the guess for the last byte during the chopchop attack was incorrect, the
packet is still dropped silently. If the guess was correct, a MIC failure report frame
is sent by the client, but the TSC counter is not increased. The attacker needs to
wait for at least 60 seconds after triggering a MIC failure report frame to prevent the
client from engaging countermeasures. Within a little bit more than 12 minutes, the
attacker can decrypt the last 12 bytes of plaintext (MIC and ICV). To determine the
remaining unknown bytes (exact sender and receiver IP addresses), the attacker can
guess the values and verify them against the decrypted ICV.
After the MIC and the plaintext of the packet is known, an attacker can simply re-
verse the MICHAEL algorithm and recover the MIC key used to protect packets being
send from the access point to the client. The MICHAEL algorithm is not designed
to be a one-way function and reversing the algorithm is as efficient as calculating the
algorithm forward.
At this point, the attacker has recovered the MIC key and knows a keystream for
access point to client communication. He is now able to send a custom packet to the
client on every QoS channel, where the TSC counter is still lower than the value used
for the captured packet. In most networks in the wild, all traffic is just transmitted
on channel 0, so that the attacker is now able to send 7 custom packets to the client.
After the attack has been successfully executed, an attacker can recover an additional
keystream within 4-5 minutes, because he just needs to decrypt the 4 byte ICV using
chopchop. The ip address bytes can be guessed, the MIC can then be calculated using
the known MIC key and then be verified against the ICV.
To cause damage, the attacker could for example send messages triggering IDS
systems which work on the IP layer. Alternatively, traffic could be rerouted using
fake ARP responses. The attacker could try to establish a bidirectional channel to
the client, if the client is connected to the internet using a firewall blocking incoming
traffic, but allowing outgoing traffic. The responses of the client cannot be read over
the air by the attacker, but could be routed back over the internet.
We created a proof of concept implementation of this attack2to verify that the attack
actually works. We managed to attack hardware from various vendors, confirming that
this attack is really applicable against real world networks.
2deleted obvious reference, the final paper will contain a reference to the attack implementation
10
Even if the network does not support the IEEE 802.11e QoS features, the attack still
seems to be possible. Here, the attacker needs to prevent the client from receiving the
data packet he chooses for the chopchop attack, and must disconnect the client from
the access point for the time of the attack, so that the TSC counter is not increased
by the packet or following packets. After the attacker has successfully executed the
chopchop attack, he can send a single data packet to the client. However, we did not
implement this attack mode.
If an attacker would manage to recover a keystream still valid for a QoS channel
and the MIC key for both directions (our attack only recovery a keystream and the
MIC key for access point to client communication), he would be able to use them
to recover additional keystreams and could send a unlimited number of packets with
custom plaintext.
5.1 Countermeasures
To prevent this attack, we suggest using a very short rekeying time, for example 120
seconds or less. In 120 seconds, the attacker can only decrypt parts of the ICV value
at the end of a packet. Alternatively disabling the sending of MIC failure report
frame frames on the clients would also prevent the attack. The best solution would
be disabling TKIP and using a CCMP only network.
6 Conclusion
WEP is known to be insecure since 2001, however we think that key recovery attacks
against WEP are still of interest. On the one hand, WEP is still used in the wild
and on the other, some companies are selling hardware using modified versions of the
WEP protocol, they claim to be secure. Secondly, the TKIP protocol used by WPA
is not much different from WEP, so that attacks on WEP can affect the security of
networks using TKIP, as seen in the paper.
Our attack on TKIP in Section 5 shows that even WPA with a strong password is
not 100% secure and can be attacked in a real world scenario. Although this attack
is not a complete key recovery attack, we suggest that vendors should implement
countermeasures against this attack. Because the problem can be fixed in a high level
part of the protocol, we think that updates can easily be developed and deployed with
new drivers.
References
[1] Andrea Bittau, Mark Handley, and Joshua Lackey. The final nail in WEP’s coffin.
In IEEE Symposium on Security and Privacy, pages 386–400. IEEE Computer
Society, 2006.
[2] IEEE-SA Standards Board. Wireless LAN Medium Access Control (MAC) and
Physical Layer (PHY) Specifications. Communications Magazine, IEEE, 2007.
[3] Rafik Chaabouni. Break wep faster with statistical analysis. Technical report,
EPFL, LASEC, June 2006.
11
[4] Scott R. Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling
algorithm of RC4. In Serge Vaudenay and Amr M. Youssef, editors, Selected Areas
in Cryptography 2001, volume 2259 of Lecture Notes in Computer Science, pages
1–24. Springer, 2001.
[5] David Hulton. Practical exploitation of RC4 weakness in WEP environments,
2002. presented at HiverCon 2002.
[6] Robert J. Jenkins. Isaac and rc4. [http://burtleburtle.net/bob/rand/isaac.
html, 1996.
[7] A. Klein. Attacks on the RC4 stream cipher. Designs, Codes and Cryptography,
48(3):269–286, 2008.
[8] KoreK. chopchop (experimental WEP attacks). http://www.netstumbler.org/
showthread.php?t=12489, 2004.
[9] KoreK. Next generation of WEP attacks? http://www.netstumbler.org/
showpost.php?p=93942&postcount=35, 2004.
[10] Yuko Ozasa, Yoshiaki Fujikawa, Toshihiro Ohigashi, Hidenori Kuwakado, and
Masakatu Morii. A study on the Tews, Weinmann, Pyshkin attack against WEP.
In IEICE Tech. Rep., volume 107 of ISEC2007-47, pages 17–21, Hokkaido, July
2007. Thu, Jul 19, 2007 - Fri, Jul 20 : Future University-Hakodate (ISEC, SITE,
IPSJ-CSEC).
[11] D. C. Plummer. RFC 826: Ethernet Address Resolution Protocol: Or convert-
ing network protocol addresses to 48.bit Ethernet address for transmission on
Ethernet hardware, November 1982.
[12] David Sterndark. Rc4 algorithm revealed. Usenet posting, Message-ID:
<sternCvKL4B.Hyy@netcom.com>, Sep 1994.
[13] Adam Stubblefield, John Ioannidis, and Aviel D. Rubin. A key recovery attack
on the 802.11b wired equivalent privacy protocol (WEP). ACM Transactions on
Information and System Security, 7(2):319–332, May 2004.
[14] Erik Tews. Attacks on the wep protocol. Cryptology ePrint Archive, Report
2007/471, 2007. http://eprint.iacr.org/.
[15] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104 bit wep
in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung-Woo Lee, edi-
tors, WISA, volume 4867 of Lecture Notes in Computer Science, pages 188–202.
Springer, 2007.
[16] Serge Vaudenay and Martin Vuagnoux. Passive-only key recovery attacks on
RC4. In Selected Areas in Cryptography 2007, Lecture Notes in Computer Science.
Springer, 2007.
12
... As encryption or data confidentiality protocol, Temporal Key Integrity Protocol (TKIP) is used in WPA and is optional in WPA2, while WPA2 and WPA3 protocols mandate Advanced Encryption Standard (AES). As a data integrity protocol, WPA uses a Message Integrity Check (MIC) known as Michael algorithm (Beck & Tews, 2009), WPA2 and WPA3 mandate Counter Mode CBC-MAC Protocol (CCMP) for their personal networks, and the new Galois Counter Mode Protocol (GCMP) enhances WPA3 security for its enterprise networks (He & Mitchell, 2004;Vanhoef, 2017b). In this paper, instead of certifications, we may use terms such as devices, or networks interchangeably depending on context. ...
... Following the MIC key's derivation, they extend the attack targeting multiple wireless clients in a WLAN. Since this MitM attack mainly exploits the flaws associated with TKIP's Michael algorithm (Beck & Tews, 2009), it can be practical in every WPA-TKIP or WPA2-TKIP network. However, this attack is not possible against WPA3 networks as the WPA3 does not support TKIP (Cisco, 2021). ...
Preprint
Full-text available
p>Multi-Channel Man-in-the-Middle (MitM) attacks are special MitM attacks capable of manipulating encrypted wireless frames between two legitimate endpoints. Since its inception in 2014, attackers have been targeting Wi-Fi networks to perform different attacks, such as cipher downgrades, denial of service, key reinstallation attacks (KRACK) in 2017, and recently FragAttacks in 2021, which widely impacted millions of Wi-Fi devices, especially IoT devices. To the best of our knowledge, there are no studies in the literature that holistically review the different types of Multi-Channel MitM enabled attacks and analyze their potential impact. To this end, we evaluate the capabilities of Multi-Channel MitM and review every reported attack in the state of the art. We examine practical issues that hamper the total adoption of protection mechanisms, i.e., security patches and Protected Management Frames (PMF), and review available defense mechanisms in confronting the Multi-Channel MitM enabled attacks in the IoT context. Finally, we highlight the potential research problems and identify future research lines in this field.</p
... The Injection category encompasses three attacks: ARP Injection [15], Chop-Chop [16], and Fragmentation [17]. ARP Injection manipulates the network to generate numerous Initialization Vectors (IV) for key cracking. ...
Article
Full-text available
In the wake of the COVID-19 pandemic, there has been a significant digital transformation. The widespread use of wireless communication in IoT has posed security challenges due to its vulnerability to cybercrime. The Indonesian National Police’s Directorate of Cyber Crime is expected to play a preventive role in supervising these attacks, despite lacking a specific cyber-attack prevention function. An Intrusion Detection System (IDS), employing artificial intelligence, can differentiate between cyber-attacks and non-attacks. This study focuses on developing a machine learning-based policing model to detect cyber-attacks on Wi-Fi networks. The model analyzes network data, enabling quick identification of attack indications in the command room. The research involves simulations and analyses of various feature selection methods and classification models using a public dataset of cyber-attacks on Wi-Fi networks. The study identifies mutual information with 20 features such as the optimal feature reduction method and the Neural Network as the best classification method, achieving a 94% F1-Score within 95 s. These results demonstrate the proposed IDS’s ability to swiftly detect attacks, aligning with previous research findings.
... The Pre Shared Key is vulnerable to dictionary attacks, which implies the WPAs strength is much dependent on the strength of the password. But even with a strong password, a wireless network protected with WPA can't be considered fully secure [17]. One method to avoid the risk of attackers using pre-computed hash tables is by using a nonstandard SSID, but this will not stop an attack. ...
Article
Full-text available
This document is part of the subject IMT4125 Network Security, which is part of the master's degree program Information Security at Gjøvik, Norway. The article will briefly explain security concepts and techniques in wireless networks, from the first wireless standard 802.11 with WEP encryption, to the most recent WPA3-standard. Some tools and attacks on the protocols is presented, as with some countermeasures.
... It is also feasible to employ CSAs to acquire the MitM position from relatively longer distances with weaker signals [17]. Furthermore, the MC-MitM position facilitates the viability of certain MitM attacks such as chop-chop attacks [31], SSLStrip attacks [32], and Wi-Fi geolocation attacks [33], etc. ...
Article
Full-text available
One of the advanced Man-in-the-Middle (MitM) attacks is the Multi-Channel MitM (MC-MitM) attack, which is capable of manipulating encrypted wireless frames between clients and the Access Point (AP) in a Wireless LAN (WLAN). MC-MitM attacks are possible on any client no matter how the client authenticates with the AP. Key reinstallation attacks (KRACK) in 2017-18, and the latest FragAttacks in 2021 are frontline MC-MitM attacks that widely impacted millions of Wi-Fi systems, especially those with Internet of Things (IoT) devices. Although there are security patches against some attacks, they are not applicable to every Wi-Fi or IoT device. In addition, existing defense mechanisms to combat MC-MitM attacks are not feasible for two reasons: they either require severe firmware modifications on all the devices in a system, or they require the use of several advanced hardware and software for deployment. On top of that, high technical overhead is imposed on users in terms of network setup and maintenance. This paper presents the first plug-and-play system to detect MC-MitM attacks. Our solution is a lightweight, signature-based, and centralized online passive intrusion detection system that can be easily integrated into Wi-Fi-based IoT environments without modifying any network settings or existing devices. The evaluation results show that our proposed framework can detect MC-MitM attacks with a maximum detection time of 60 seconds and a minimum TPR (true positive rate) of 90% by short-distance detectors and 85% by long-distance detectors in real Wi-Fi or IoT environments.
Article
Full-text available
The 802.11 encryption standard Wired Equivalent Privacy (WEP) is still widely used today despite the numerous discussions on its insecurity. In this paper, we present a novel vulnerability which allows an attacker to send arbitrary data on a WEP network after having eavesdropped a single data packet. Furthermore, we present techniques for real-time decryption of data packets, which may be used under common circumstances. Vendor produced mitigation techniques which cause frequent WEP re-keying prevent traditional attacks, whereas our attack remains effective even in such scenarios. We implemented a fully automatic version of this attack which demonstrates its practicality and feasibility in real networks. As even rapidly re-keyed networks can be quickly compromised, we believe WEP must now be abandoned rather than patched yet again.
Conference Paper
Full-text available
We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be ob- tained by re-injection in less than a minute. The required computational eort is approximately 2 20 RC4 key setups, which on current desktop and laptop CPUs is negligible.
Article
We present some weaknesses in the RC4 cipher and their cryptographic applications. Especially we improve the attack described by S. Fluhrer, I. Mantin and A. Shamir [Lect. Notes Comput. Sci. 2259, 1–24 (2001; Zbl 1067.94530)] in such a way, that it will work, if the weak keys described in that paper are avoided. A further attack will work even if the first 256 Byte of the output remain unused. Finally we show that variants of the RC4 algorithm like NGG and RC4A are also vulnerable by these techniques.
Article
In this paper, we present a practical key recovery attack on WEP, the link-layer security protocol for 802.11b wireless networks. The attack is based on a partial key exposure vulnerability in the RC4 stream cipher discovered by Fluhrer, Mantin, and Shamir. This paper describes how to apply this flaw to breaking WEP, our implementation of the attack, and optimizations that can be used to reduce the number of packets required for the attack. We conclude that the 802.11b WEP standard is completely insecure, and we provide recommendations on how this vulnerability could be mitigated and repaired.
Conference Paper
We present several weaknesses in the key scheduling algorithm of RC4 when the secret key contains an initialization vector - a cryptographic scheme typically used by the WEP and WPA protocols to protect IEEE 802.11 wireless communications. First, we show how the previously discovered key recovery attacks can be improved by reducing the dependency between the secret key bytes. Then, we describe two new weaknesses related to the modulo operation of the key scheduling algorithm. Finally, we describe a passive-only attack able to significantly improve the key recovery process on WEP with a data complexity of 215 eavesdropped packets.
Article
The Wired Equivalent Protocol is nowadays considered as unsafe. However the only academic research that tries to break WEP has been done by Fluhrer, Mantin and Shamir, who have published a report on a specific attack. Nevertheless, an unknown person under the pseudonym Korek has published 17 attacks, which are now used by both AirCrack and WepLab. For a network with average load traffic, the FMS attack would need roughfly 40 days in order to find the key (4 millions packets needed), whereas Korek's attacks in addition to stimulation of the network load, reduce this time under 15 minutes (325'000 packets needed) for a 128 bits key (104 bits secret key). We analyzed these attacks, gave a mathematical description of them and explained a new attack, in order to identify new ones.
Conference Paper
In this paper we present several weaknesses in the key scheduling algorithm of RC4, and describe their cryptanalytic significance. We identify a large number of weak keys, in which knowledge of a small number of key bits suffices to determine many state and output bits with non-negligible probability. We use these weak keys to construct new distinguishers for RC4, and to mount related key attacks with practical complexities. Finally, we show that RC4 is completely insecure in a common mode of operation which is used in the widely deployed Wired Equivalent Privacy protocol (WEP, which is part of the 802.11 standard), in which a fixed secret key is concatenated with known IV modifiers in order to encrypt different messages. Our new passive ciphertext-only attack on this mode can recover an arbitrarily long key in a negligible amount of time which grows only linearly with its size, both for 24 and 128 bit IV modifiers.