- Dec 23, 2003
Cracking WEP Keys
Programs such as AirSnort, WEPCrack, and dweputils crack WEP keys based on an attack described in a paper titled “Weaknesses in the Key Scheduling Algorithm of RC4” written by Scott Fluhrer, Itsik Mantin, and Adi Shamir. This paper identified certain IVs that leak information about the secret key. In fact, there are large classes of these weak keys. If you can collect enough cipher text that is derived from them, you can determine the secret key with relatively little work. This assumes, however, that the attacker has knowledge of the first few bytes of plain text. Interestingly enough, because of RFC 1042 (SNAP headers), all IP and ARP packets always start with 0xAA. Therefore, the first few bytes of plain text are (almost) always known. (IPX/SPX traffic uses a different SNAP header.)
Brute Force Attacks vs. FMS Attacks
Traditional brute force and FMS attacks represent two very different styles of attack. With a brute force attack, you only need to capture a single encrypted packet and then apply an enormous amount of computing power. (You probably want two packets: one to crack the key and one to double check that the cracked key works.) FMS attacks, on the other hand, rely on capturing an enormous amount of encrypted traffic, then using very little CPU power for a probabilistic algorithm to crack the key. In fact, the FMS crack scales linearly, which means that cracking a 128-bit key takes only slightly longer to crack then a 64-bit key, once you have captured enough weak keys.
Effective FMS Attacks
The problem for FMS attacks is capturing enough encrypted data to crack the key. In a high traffic network, this can be accomplished in a matter of hours. However, in a low traffic environment, this process can take days or weeks. To crack the WEP key using FMS, some attackers are simply patient and resort to doing sneaky things like putting AirSnort (or other tools) on a PDA and placing it in the bushes near the AP for days at a time. Other attackers have developed more clever techniques to artificially generate network traffic in order to capture cipher text to crack the key.
One possible packet injection attack works like this: The attacker will capture the encrypted traffic and look for a known protocol negotiation based on the size of the captured packet; for example, an ARP request has a predictable size (28 bytes). Once captured, the attacker can simply re-inject the encrypted packet (ARP request) over and over again. The ARP response will generate new traffic, which the attacker can then capture. If the attacker repeats this process over and over again, it is possible to generate enough traffic for a successful FMS attack in about an hour. (See http://www.dachb0den.com for more information on this packet injection technique.)
Figure 3.7. The attacker captures a legitimate, encrypted packet and guesses that it is an ARP request based on a known size (28 bytes).
Figure 3.8. The attacker floods the network with the reinjected ARP reject. This results in a flood of ARP responses, which the attacker captures as part of an FMS attack.
Keep in mind that FMS attacks rely upon the attacker's ability to capture weak keys. Many hardware vendors have implemented firmware updates for their wireless NICs and APs that simply skip the specific IVs that cause these weak keys. This weak key avoidance technique renders the FMS attack useless. This is another reason why upgrading the firmware in all the devices in your wireless network is particularly important.
Orinoco Release Notes
Orinoco began implementing weak key avoidance in their firmware in the winter of 2002. The release notes for the Orinoco 8.10 firmware upgrade includes the following:
WEP Weak Key Avoidance
The key that is input to the WEP64 or 128 RC4 encryption algorithm consists of the secret key configured by the user (or via 802.1x) concatenated with the IV (Initialization Vector). The IV is determined by the transmitting station. By excluding certain IV values that would create so-called “weak keys,” the weakness of WEP as described in “Weaknesses in the Key Scheduling Algorithm of RC4” by Scott Fluhrer, Itsik Mantin and Adi Shamir, and demonstrated through the AirSnort program, are avoided. Note that, as the IV is always determined by the transmitting station, there is no impact on interoperability. Stations/APs with weak key avoidance implemented can interoperate with stations/APs that do not have this. Of course, protection against this attack is provided only if all stations and APs implement this new scheme.