Copy of (in)security of wired equivalent privacy

presentation used for the exam in cryptography course at aarhus university »
Daniel Milo Farkner 

1994
1999
2003
2007
RC4
RC4-PRGA
WEP
RC4-KSA
From Wikipidia
Klein's
for n = 256
KoreK
FMS
Implementation
PTW
Fragmentation
Bruteforce
Keystream
=
0
n
=
?
Recover key bytes based on X[0]
Recover key bytes based on X[1]
Reduce size of search space
Category of attacks
KoreK A_s13
The insecurity of Wired Equivalent Privacy (WEP)
The Jenkins' correlation
Pseudo random approach
Incremental approach
Result
Key ranking
Pure fragmentation attack
Fragmented key stream attack
Finding keystreams
Keyranking
Klein - manual
PTW - static bound
Source: http://www.milotopia.dk/security/wep/WepCrack.zip
Idea: 
Voting process:
Vote once => Faster retries/More retries
Demonstration
7 key stream bytes for 64bit WEP
15 key stream bytes for 128bit WEP
Example:
Scott Fluhrer
Itsik Mantin
Adi Shamir
(cc) image by anemoneprojectors on Flickr
Check
S [1] = 0
3
S [S [1]] = S [0] = 3
3
3
3
j  = j  + S [3] + K[3]
   = 75 + 1 + 53
   = 129
4
3
3
KSA:
PRGA:
The FMS attack:
Obtain the streamcipher first key byte
Use IV to simulate KSA, and thereby calculate the targeted secret key byte K[p]

Chance of success: ~5% pr calculation!
Conditions:
if met
From the IV the attacker know the first 3 byte, hence p > 2
The attacker obtain information about the first byte being 129.
Step 1:
Step 2:
Conditions:
Change of success:

=13,75%
Much better that FMS, due to only requiring 2 values unchanged 
Example
KoreK A_s3
Conditions
Chance of success:
Example
The attacker knows the first 4 bytes of the key
What we need is to optain S_p and j_p. This is do by simulating the first 
p steps og KSA. In the next step we know that 
will we swaped into the position            . So we want information on K[p]
we need for the p position in S to not be changed doing the following n-2
swaps, before we get the output X[p - 1]. So we need to look at the pobability
of p - X[p - 1] =                                   . We do this in two cases, one where the
p position has been swaped, and one where it remains. 
First we need a correlation in RC4, the Jenkins' correlation:
17 attacks - most of them uses the concept from FMS
Questions?

Loading comments...

Please log in to add your comment.

Report abuse

More presentations by Daniel Milo Farkner

Popular presentations

  • International Marketing Plan

    Annie Nam on

    Casa Noble to South Korea

  • life

    Celebration Christian Church on

    http://www.celebrationchristianchurch.com/, celebration christian church is a local part of the body of Christ (The Church) in Northwest Portland Oregon. We are full of the Holy ...

  • What is Prezi, really? And how to create a really good one?

    Adam Somlai-Fischer on

    Keynote talk at Login 2011 conference in Vilnius for 3000+ audience

More popular prezis in Explore>