Home > Articles > Networking > Wireless/High Speed/Optical

  • Print
  • + Share This
This chapter is from the book

Authentication Spoofing

A variation of the packet injection attack is authentication spoofing. In order to understand how this attack works, let's take another look at the shared key authentication process.

  • Step 1— The client sends an authentication request to the AP.

  • Step 2— The AP sends the client 128 bytes of challenge text.

  • Step 3— The client encrypts the challenge text with its WEP key and sends the challenge response back to the AP.

  • Step 4— The AP uses its knowledge of the WEP key to validate the challenge response and determine if the client does, in fact, know the shared secret key.

  • Step 5— The AP responds to the client with a success or failure message.

The problem here is that if an attacker can observe this negotiation process, she will know the plain text (challenge text) and its associated cipher text (challenge response). Using the message injection attack methodology, the attacker could then derive the key stream, request authentication from the AP, and use the same key stream on the challenge text to create a valid challenge response. The attacker would then be authenticated to the AP even though she has no knowledge of the WEP key. This attack works because the challenge text is always 128 bytes and, again, because IVs can be repeated and reused.

  • + Share This
  • 🔖 Save To Your Account