Breaking 104 Bit WEP in Less Than 60 Seconds

  • Erik Tews
  • Ralf-Philipp Weinmann
  • Andrei Pyshkin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4867)


We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 220 RC4 key setups, which on current desktop and laptop CPUs is negligible.


Equivalent Privacy Initialization Vector Stream Cipher Address Resolution Protocol Cryptology ePrint Archive 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bittau, A., Handley, M., Lackey, J.: The final nail in WEP’s coffin. In: IEEE Symposium on Security and Privacy, pp. 386–400. IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  2. 2.
    Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: ACM MobiCom 2001, pp. 180–189. ACM Press, New York (2001)Google Scholar
  3. 3.
    Chaabouni, R.: Break WEP faster with statistical analysis. Technical report, EPFL, LASEC (June 2006),
  4. 4.
    Dörhöfer, S.: Empirische Untersuchungen zur WLAN-Sicherheit mittels Wardriving. Diplomarbeit, RWTH Aachen (September 2006) (in German)Google Scholar
  5. 5.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  6. 6.
    Hulton, D. (h1kari).: bsd-airtools,
  7. 7.
    Klein, A.: Attacks on the RC4 stream cipher. Designs, Codes and Cryptography (submitted, 2007)Google Scholar
  8. 8.
    KoreK. chopchop (experimental WEP attacks) (2004),
  9. 9.
    KoreK. Next generation of WEP attacks (2004),
  10. 10.
    Maitra, S., Paul, G.: Many keystream bytes of RC4 leak secret key information. Cryptology ePrint Archive, Report2007/261(2007),
  11. 11.
    Ohigashi, T., Kuwakado, H., Morii, M.: A key recovery attack on WEP with less packets (2007)Google Scholar
  12. 12.
    Ozasa, Y., Fujikawa, Y., Ohigashi, T., Kuwakado, H., Morii, M.: A study on the Tews, Weinmann, Pyshkin attack against WEP. In: IEICE Tech. Rep., Hokkaido, July 2007. ISEC2007-47, vol. 107, pp. 17–21 (2007) Thu, Jul 19, 2007 - Fri, Jul 20 : Future University-Hakodate (ISEC, SITE, IPSJ-CSEC) Google Scholar
  13. 13.
    Plummer, D.C.: RFC 826: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware (November 1982)Google Scholar
  14. 14.
    Postel, J.: Internet Protocol. Request for Comments (Standard) 791, Internet Engineering Task Force (September 1981)Google Scholar
  15. 15.
    Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). ACM Transactions on Information and System Security 7(2), 319–332 (2004)CrossRefGoogle Scholar
  16. 16.
    The Aircrack-NG team. Aircrack-ng suite (2007),
  17. 17.
    Vaudenay, S., Vuagnoux, M.: Passive-only key recovery attacks on RC4. In: Selected Areas in Cryptography 2007. LNCS, Springer, Heidelberg (to appear, 2007)Google Scholar
  18. 18.
    Wi-Fi Alliance. Wi-Fi Protected Acccess (WPA) (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Erik Tews
    • 1
  • Ralf-Philipp Weinmann
    • 1
  • Andrei Pyshkin
    • 1
  1. 1.TU DarmstadtFB InformatikGermany

Personalised recommendations