# Smashing WEP in a Passive Attack

## Abstract

In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires \(22\,500\) packets to gain success probability of \(50\,\%\) against a \(104\)-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than \(5\) s on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around \(3\,\%\) success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires \(27\,500\) packets. This is *much less than the number of packets* Aircrack-ng requires in *active mode* (around \(37\,500\)), which is a huge improvement. We believe that our analysis brings on further insight to the security of RC4.

## 1 Introduction

RC4 was designed by Rivest in 1987. It used to be a trade secret until it was anonymously posted on Cypherpunks mailing list in September 1994. Nowadays, due to its simplicity, RC4 is widely used in SSL/TLS, Microsoft Lotus, Oracle Secure SQL and Wi-Fi 802.11 wireless communications. The 802.11 [9] used to be protected by WEP (Wired Equivalent Privacy) which is now being replaced by WPA (Wi-Fi Protected Access) due to security weaknesses.

WEP uses RC4 with a pre-shared key. Each packet is encrypted by an XOR to a keystream generated by RC4. The RC4 key is a pre-shared key prepended with a 3-byte nonce initialisation vector \(\mathsf {IV}\). The \(\mathsf {IV}\) is sent in clear for self-synchronisation. There have been several attempts to break the full RC4 algorithm, but it has only been devastating so far in this scenario. Indeed, the adversary knows that the key is constant except the \(\mathsf {IV}\), which is known. An active adversary can alter the \(\mathsf {IV}\). Nowadays, WEP is considered as being terribly weak, since passive attacks can recover the full key easily by assuming that the first bytes of every plaintext frame are known.

*Structure of the paper.* First, in Sect. 2, we refer to the motivation in this research area, then we present RC4, WEP and Aircrack-ng in Sect. 3. In Sect. 4, we go through all the existing well-known attacks on WEP. Next, we introduce some useful lemmas in Sect. 5. Then, we present all known biases for RC4 in Sect. 6. Subsequently, we elaborate on an optimised attack on WEP in Sect. 7 and, we compare our results with Aircrack-ng 1.1 in Sect. 8. Finally, we discuss some challenges and open problems in Sect. 9.

## 2 Motivation

For some people, attacking WEP is like beating a dead horse, but this horse is still running wildly in many countries all over the world. Also, some companies are selling hardware using modified versions of the WEP protocol, they claim to be secure [2]. Moreover, the new analysis and biases presented in this paper are related to RC4, which is the most popular stream cipher in the history of symmetric key cryptography. WEP is an example of a practical exploitation of these biases. The cryptanalysis of WEP is one of the most applied cryptographic attacks in practice. Indeed, tools such as Aircrack-ng are massively downloaded to provide a good example of weaknesses in cryptography. Finally, the TKIP protocol used by WPA is not much different from WEP (just a patch over WEP), so that attacks on WEP can affect the security of networks using TKIP, as seen in [2, 26]. For instance in [26], the authors used exactly the same biases as in WEP to break WPA. Hence, gaining a better understanding of the behaviour of these biases may lead to a practical breach of WPA security in future.

## 3 Preliminaries

### 3.1 Description of RC4 and Notations

The RC4 stream cipher consists of two algorithms: the Key Scheduling Algorithm \((\mathsf {KSA})\) and the Pseudo Random Generator Algorithm \((\mathsf {PRGA})\). The RC4 engine has a state defined by two registers (words) \(i\) and \(j\) and one array (of \(N\) words) \(S\) defining a permutation over \(\mathbf{Z}/N\mathbf{Z}\). The \(\mathsf {KSA}\) generates an initial state for the \(\mathsf {PRGA}\) from a random key \(K\) of \(L\) words as described in Fig. 1. It starts with an array \(\{0,1,\ldots ,N-1\}\), where \(N=2^8\) and swaps \(N\) pairs, depending on the value of the secret key \(K\). At the end, we obtain the initial state \(S'_0\).

*words*are

*bytes*). Thus, \(x+y\) should be read as \((x + y) \mod N\).

Once the initial state \(S'_0\) is created, it is used by the second algorithm of RC4, the \(\mathsf {PRGA}\). Its role is to generate a keystream of words of \(\log _2N\) bits, which will be XORed with the plaintext to obtain the ciphertext. Thus, RC4 computes the loop of the \(\mathsf {PRGA}\) each time a new keystream word \(z_i\) is needed, according to the algorithm in Fig. 1. Note that each time a word of the keystream is generated, the internal state \((i, j, S)\) of RC4 is updated.

*density*of the bias (for the list of such correlations, see Table 1 in Appendix).

**Definition 1**

### 3.2 Description of WEP

To protect the integrity of the data, a \(32\)-bit long \(\mathsf {CRC32}\) check sum called \(\mathsf {ICV}\) is appended to the data. Similar to other stream ciphers, the resulting stream is XORed with the RC4 keystream and it is sent through the communication channel together with the \(\mathsf {IV}\) in clear. On the receiver’s end, the ciphertext is again XORed with the shared key and the plaintext is recovered. The receiver checks the linear error correcting code and it either accepts the data or declines it.

It is well known [21, 31, 34] that a relevant portion of the plaintext is practically constant and that some other bytes can be predicted. They correspond to the LLC header and the SNAP header and some bytes of the TCP/IPv4 and ARP encapsulated frames. For example, by XORing the first byte of the ciphertext with the constant value \(\mathsf {0xAA}\), we obtain the first byte of the keystream. Thus, even if these attacks are called known plaintext attacks, they are ciphertext only in practice (see the Appendix for the structure of ARP and TCP/IPv4 packets).

We consider both passive and active adversaries in this paper. For an active attack, the attacker eavesdrops the ARP packets and since the plaintext bytes are known up to the \(32\)-nd byte, she can compute \(z_1, \dots , z_{32}\) values using the ciphertext. It is also possible to inject data into the network. Because the ARP replies expire quickly (resetting the ARP cache), it usually takes only a few seconds or minutes until an attacker can capture an ARP request and start re-injecting it [31]. On the other hand, active attacks are detectable by Intrusion Detection systems (IDS) and also some network cards require extra driver patches to be able to inject data into the traffic, which is not available for all network cards. This is not the case for a passive attack. The attacker can eavesdrop the wireless communication channel for TCP/IPv4 packets, but some of the data frames are not known in this case (see the Appendix). As represented in Table 1, the Klein and the Maitra-Paul attacks require \(z_i\) and \(z_{i + 1}\) to recover \(\bar{K}[i]\) respectively. Hence in reality, we are not able to use those attacks to recover some bytes of the key. This is not the case for the Korek attacks, since they only require \(z_1\) and \(z_2\). To summarise, we need more packets in a passive attack compared to an active attack. We are going to elaborate on both types of attacks later.

### 3.3 Aircrack-ng

Aircrack-ng [5] is a WEP and WPA-PSK keys cracking program that can recover keys once enough data packets have been captured. It is the most widely downloaded cracking software in the world. It implements the standard Fluhrer, Mantin and Shamir’s (FMS) attack [7] along with some optimisations like the Korek attacks [13, 14], as well as the Physkin, Tews and Weinmann (PTW) attack [31]. In fact, it currently has the implementation of state of the art attacks on WEP and WPA. We applied a patch on Aircrack-ng 1.1 in our implementation.

## 4 State of the Art Attacks on WEP

WEP key recovery process is harder in practice than in theory. Indeed, some bytes of the keystream are unknown, depending on which type of packets are captured. Moreover, theoretical success probability has often been miscalculated and conditions to recover the secret key are not the same depending on the paper. For example, [2, 25, 31, 34] check \(2 \times 10^6\) most probable keys instead of the first one as in [7, 11, 13, 14, 27, 28]. Additionally, IEEE \(802.11\) standard does not specify how the \(\mathsf {IV}\)’s should be chosen. Thus, some attacks consider randomly picked \(\mathsf {IV}\)’s or incremental \(\mathsf {IV}\)’s (both little-endian and big-endian encoded). Some implementations specifically avoid some classes of \(\mathsf {IV}\)’s which are weak with respect to some attacks.

In [7], Fluhrer, Mantin and Shamir’s (FMS) attack is only theoretically described. The authors postulate that \(4\) million packets would be sufficient to recover the secret key of WEP with success probability of \(50\,\%\) with incremental \(\mathsf {IV}\)’s. A practical implementation of this attack has been realised by Stubblefield, Ioannidis and Rubin [27, 28]. They showed that indeed between \(5\) million to \(6\) million packets are required to recover the secret key using the FMS attack. Note that in \(2001\), almost all wireless cards were using incremental \(\mathsf {IV}\)’s in big-endian.

There is no theoretical analysis of the Korek [13, 14] key recovery attacks. Only practical implementations such as Aircrack-ng [5] are available. Additionally, Aircrack-ng classifies the most probable secret keys and does a brute-force attack on this list. The success probability of \(50\,\%\) is obtained when about \(100\,000\) packets are captured with random \(\mathsf {IV}\)’s. Note that the amount of the brute-forced keys depends on the values of the secret key and the

*“Fudge”*factor [5] (the highest vote counter is divided by the Fudge factor and all values with votes higher than this value is brute-forced), a parameter chosen by the attacker (often \(1\), \(2\) or \(3\)). By default, around one thousand to one million keys are brute-forced.The ChopChop attack was introduced in [12, 30], which allows an attacker to interactively decrypt the last \(m\) bytes of an encrypted packet by sending \(128 \times m\) packets in average to the network. The attack does not reveal the main key and is not based on any special property of the RC4 stream cipher.

In [11], Klein showed theoretically that his new attack needs about \(25\,000\) packets with random \(\mathsf {IV}\)’s to recover the secret key with probability \(50\,\%\). Note that, there is no practical implementation of the Klein attack alone, but both PTW [31] and \(\mathsf {VV07}\) [34] attacks (using Klein attack by default), which theoretically improve the key recovery process, need more than \(25\,000\) packets. So, the theoretical success probability of the Klein attack was over estimated. We implemented this attack and we obtained the success probability of \(50\,\%\) with about \(60\,000\) packets (random \(\mathsf {IV}\)’s).

Physkin, Tews and Weinmann (PTW) showed in [31] that the secret key can be recovered with only \(40\,000\) packets for the same success probability (random \(\mathsf {IV}\)’s). However, this attack brute-forces the \(2 \times 10^6\) most probable secret keys. Thus, the comparison with previous attacks is less obvious. Moreover, there is no theoretical analysis of this attack, only practical results are provided by the authors. We confirmed this practical result.

Vaudenay and Vuagnoux [34] showed an improved attack, where the same success probability can be reached with an average of \(32\,700\) packets with random \(\mathsf {IV}\)’s. This attack also tests the \(2 \times 10^6\) most probable secret keys. Moreover, only practical results are provided by the authors. We confirmed this practical result.

According to [2], Beck and Tews re-implemented the [34] attack in \(2009\), obtaining the same success probability with only \(24\,200\) packets using Aircrack-ng in “interactive mode”, i.e., the success probability is fixed in this approach and the goal is to derive the least average number of packets for a successful attack. Obviously, this approach requires less packets than the case where we fix the number of packets and compute the success rate. We focus on the latter approach, since this is done often in the literature as a measure of comparison. Since Beck and Tews’s attack was implemented on Aircrack-ng, we ran it in non-interactive mode. We observed that \(24\,200\) packets brings about only less that \(8\,\%\) success rate in non-interactive mode. In fact, it needs more than \(36\,000\) packets to yield the success probability of \(50\,\%\). Therefore, it seems this attack does not yield any more success rate than the [34] attack.

Sepehrdad, Vaudenay and Vuagnoux [25], showed that only \(9\,800\) packets is enough to break WEP with success probability of \(50\,\%\), while they used a

*class of weak*\(\mathsf {IV}\)’s for their attack. We show in the following that reaching \(9\,800\) packets to break WEP with*random*\(\mathsf {IV}\)’s is extremely ambitious by the currently available biases for RC4.In Eurocrypt 2011 [26], we presented an attack on WEP by optimising all the previous known attacks in the literature and by introducing a few new correlations. As a result, we claimed

*theoretically*that using \(4\,000\) packets, our analysis provides a success probability of \(50\,\%\) to break WEP. We did not implement the attack at that time. Only theoretical results were presented. In this paper, we show that some parts of that evaluation is not precise enough and need modification. In fact, we show that our theory needs more than \(4\,000\) packets, due to the imprecise approximation of the variance of the rank of the correct key and an improper estimation of the probability distribution of this random variable.In this paper, in an optimised attack, we drop the number of packets to \(22\,500\) for the same success probability by modifying the [26] attack and patching Aircrack-ng in non-interactive mode. It requires only \(19\,800\) packets using Aircrack-ng in interactive mode. In our approach, the \(2 \times 10^6\) most probable secret keys are brute-forced and we use random \(\mathsf {IV}\)’s.

## 5 Some Useful Lemmas

**Lemma 1**

*Proof*

See Chap. 3 of [24] for the proof. \(\square \)

**Corollary 1**

*Proof*

The \(\otimes \) operation is commutative and associative over \([0, 1]\) and \(1\) is the neutral element. The above statements should be trivial using these properties. \(\square \)

We can extend the above Corollary by adding new conditions.

**Lemma 2**

*Proof*

See Chap. 3 of [24] for the proof. \(\square \)

**Lemma 3**

*Proof*

**Lemma 4**

*Proof*

See Chap. 3 of [24] for the proof. \(\square \)

## 6 The List of Biases for RC4

In this section, we only report RC4 correlations which are exploitable against WEP application. All such biases are listed in Table 1 in Appendix, following the notations in Sect. 3.1. This list includes the improved version of the Klein attack in [34] and the improved version of the Maitra-Paul attack in [15]. Furthermore, it includes an improved version of \(19\) biases by Korek [13, 14] and \(\mathsf {SVV\_10}\), the improved bias of Sepehrdad, Vaudenay and Vuagnoux in [25]. All the probabilities are new. We have proved all the correlations listed in Table 1, but, we have omitted the proofs due to the lack of space^{1}. Biases were computed using the formulas represented after Table 1.

As an example, we are going to elaborate and provide a proof for the Klein-Improved attack, since it is fundamental in our WEP attack. The proof of all the other correlations are similar. The interested reader can also look at [4, 24, 26] for more details.

### 6.1 The Klein-Improved Attack

Andreas Klein combined the Jenkins correlation for the \(\mathsf {PRGA}\) and weaknesses of the \(\mathsf {KSA}\) and derived a correlation between the key bytes and the keystream. This bias was further improved in [34] by recovering \(\bar{K}[i]\)’s instead of \(K[i]\) to reduce the secret key bytes dependency.

**Theorem 1**

**(Jenkins correlation**[10]

**,**

**Sec. 2.3 in**[16]

**).**Assume that the initial permutation \(S'_0 = S_{N - 1}\) is randomly chosen from the set of all the possible permutations over \(\{0, \dots , N - 1\}\). Then,

*Proof*

- 1.
\(S'_i[j'_i] \mathop {=}\limits ^{P_J} i - z_i\) (Lemma 1)

- 2.
\(S'_i[j'_i] = S'_{i-1}[i]\)

- 3.
\(S'_{i-1}[i] \mathop {=}\limits ^{P_0} S_i[i]\) (Lemma 4)

- 4.
\(S_i[i] = S_{i-1}[j_i]\)

- 5.
\(S_{i - 1}[j_i] \underset{\mathsf {Cond'}}{\mathop {=}\limits ^{P_A^1}} S_t[j_i]\) (where \(\mathsf {Cond'}\) is the event that \(j_i \le t\) or \(j_i > i - 1\).)

- 6.
\(j_i = \bar{K}[i] + \displaystyle \sum _{x = 1}^i S_{x - 1}[x]\) (Lemma 3)

- 7.
\(\displaystyle \sum _{x = 1}^i S_{x - 1}[x] \mathop {=}\limits ^{P_B} \sigma _i\) (Lemma 4)

Next, we are going to describe our modifications on Sepehrdad, Vaudenay and Vuagnoux attack [26] to mount a very fast key recovery attack on WEP.

## 7 An Optimised Attack on WEP

### 7.1 Analysis Based on Pólya Distribution

In [26], it was assumed that the distribution of \(R_i\) is normal. Running a few experiments, we noticed that in fact it is not normal and it is following a distribution very close to the Poisson distribution. A crucial observation was that the variance of the distribution was much higher than the expected value. A number of distributions have been devised for series in which the variance is significantly larger than the mean [1, 6, 18], frequently on the basis of more or less complex biological models [3]. The first of these was the negative binomial, which arose in deriving the Poisson series from the point binomial [29, 35]. We use a generalised version of negative binomial distribution called the Pólya distribution.

## 8 Comparison with Aircrack-ng

## 9 Challenges and Open Problems

WEP key recovery process is harder in practice than in theory. This is because the biases in RC4 are not independent, and several bytes of the keystream are unknown in ARP and TCP/IP packets. Therefore, the theoretical analysis is more complex if the dependencies are considered. Also, some bytes of the keystream have to be guessed, and the proportion of TCP/IP packets to ARP packets is distinct for every network and attack (passive vs. active). The a priori probability of guessing those bytes correctly can not be precisely determined, and we had to leverage some heuristics to deal with this problem; Since this proportion also depends on the traffic itself, finding the \(\rho \) which is optimised for every network is not feasible. We leveraged some heuristics to set the \(\rho \) to obtain a high success rate in practice. Moreover, the Aircrack-ng is not an interactive software. The interaction with the user may allow to tweak the \(\rho \) and/or wait for more packets to capture. This trade-off should also be considered in real life applications.

The Algorithm 2 is recursive. This recursion is very expensive in practice, since with a wrong guess on a key byte, all the subsequent key bytes with higher indices are recovered incorrectly (in theory), so we need to recompute the vote for each of them again. In practice, we observed that a wrong guess of a key byte *does not* influence the next key bytes recovery significantly. For instance, even with a wrong guess on \(\bar{K}[3]\), in many cases, we could still recover all the subsequent bytes correctly. This is because a wrong guess for \(\bar{K}[3]\) mandates only \(16\) wrong swaps out of \(256\) iterations of the \(\mathsf {KSA}\). A further improvement to our work can be to adjust our theory to consider such cases. Hence, in our implementation, we perform a recursive attack to only find the best key candidate, and if it turns out to be a wrong key, we then use the pre-computed voted list to perform an exhaustive search, with no re-voting.

**Conclusion**

In this paper, we gave a precise theoretical background to improve the state of the art attacks on WEP. As an empirical proof, we updated Aircrack-ng and showed that our attack significantly outperforms the previous versions in all scenarios. We modified the algorithm according to the theoretical results, removed the ad-hoc constants which were initially found empirically in previous papers and implementations. We gave a theoretical background for all constants which affect the performance of the new Aircrack-ng. This result shows the significance of theoretical analysis in practical scenarios, and allows the attacker to break WEP even on constrained devices. As a result, the best attack to date requires \(22\,500\) packets for the success probability of \(50\,\%\) to break WEP.

**Note.** The imprecision of distributions and variances also affect our analysis reported for WPA in [26]. But, we recomputed all numerical values with the precise theoretical formulas and observed only a negligible overheard compared to the derived complexity in [26].

## Footnotes

## Notes

### Acknowledgment

We would like to sincerely thank Dr. Erik Tews for giving very helpful comments on Aicrack-ng implementation.

### References

- 1.Anscombe, F.J.: Sampling theory of the negative binomial and logarithmic series distributions. Biometrika
**37**(3–4), 358–382 (1950)CrossRefMATHMathSciNetGoogle Scholar - 2.Beck, M., Tews, E.: Practical attacks against WEP and WPA. In: WISEC, pp. 79–86. ACM (2009)Google Scholar
- 3.Bliss, C.I., Fisher, R.A.: Fitting the negative binomial distribution to biological data. Biometrika
**9**, 176–200 (1953)CrossRefGoogle Scholar - 4.Chaabouni, R.: Break WEP Faster with Statistical Analysis. Semester Project. EPFL, Switzerland (2006)Google Scholar
- 5.Devine, C., Otreppe, T.: Aircrack-ng. http://www.aircrack-ng.org/. Accessed 22 October 2011
- 6.Feller, W.: On a general class of “contagious” distributions. Ann. Math. Stat.
**14**, 389–400 (1943)CrossRefMATHMathSciNetGoogle Scholar - 7.Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001) CrossRefGoogle Scholar
- 8.IEEE. IEEE Std 802.11, Standards for Local and Metropolitan Area Networks: Wireless Lan Medium Access Control (MAC) and Physical Layer (PHY) Specifications (1999)Google Scholar
- 9.IEEE. ANSI/IEEE standard 802.11i, Amendment 6 Wireless LAN Medium Access Control (MAC) and Physical Layer (phy) Specifications, Draft 3 (2003)Google Scholar
- 10.Jenkins, R.: ISAAC and RC4 (1996). http://burtleburtle.net/bob/rand/isaac.html
- 11.Klein, A.: Attacks on the RC4 Stream Cipher. Des. Codes Crypt.
**48**, 269–286 (2008)CrossRefMATHGoogle Scholar - 12.Korek. chopchop (experimental WEP attacks) (2004). http://www.netstumbler.org/showthread.php?t=12489
- 13.Korek. Need Security Pointers (2004). http://www.netstumbler.org/showthread.php?postid=89036#post89036
- 14.Korek. Next Generation of WEP Attacks? (2004). http://www.netstumbler.org/showpost.php?p=93942&postcount=35
- 15.Maitra, S., Paul, G.: New form of permutation bias and secret key leakage in keystream bytes of RC4. In: Nyberg, K. (ed.) FSE 2008. LNCS, vol. 5086, pp. 253–269. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 16.Mantin, I.: Analysis of the stream cipher RC4. Master’s thesis, Weizmann Institute of Science (2001)Google Scholar
- 17.Maximov, A.: Two linear distinguishing attacks on VMPC and RC4A and weakness of RC4 family of stream ciphers. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 342–358. Springer, Heidelberg (2005) CrossRefGoogle Scholar
- 18.Neyman, J.: On a new class of “contagious” distributions, applicable in entomology and bacteriology. Ann. Math. Stat.
**10**, 35–57 (1939)CrossRefGoogle Scholar - 19.Nocedal, J., Wright, S.J.: Numerical Optimization. Springer Series in Operations Research, 2nd edn. Springer, New York (2006)MATHGoogle Scholar
- 20.Paul, G., Maitra, S.: Permutation after RC4 key scheduling reveals the secret key. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 360–377. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 21.Postel, J., Reynolds, J.: A standard for the transmission of IP datagrams over IEEE 802 networks (1988). http://www.cs.berkeley.edu/~daw/my-posts/my-rc4-weak-keys
- 22.Roos, A.: A Class of Weak Keys in RC4 Stream Cipher (sci.crypt) (1995). http://marcel.wanda.ch/Archive/WeakKeys
- 23.Gupta, S.S., Maitra, S., Paul, G., Sarkar, S.: (Non)Random sequences from (Non)Random permutations - analysis of RC4 stream cipher. J. Crypt.
**27**(1), 67–108 (2012)Google Scholar - 24.Sepehrdad, P.: Statistical and Algebraic Cryptanalysis of Lightweight and Ultra-lightweight Symmetric Primitives. Ph.D. thesis, EPFL, Switzerland (2012)Google Scholar
- 25.Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Discovery and exploitation of new biases in RC4. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 74–91. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 26.Sepehrdad, P., Vaudenay, S., Vuagnoux, M.: Statistical attack on RC4: Distinguishing WPA. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 343–363. Springer, Heidelberg (2011) CrossRefGoogle Scholar
- 27.Stubblefield, A., Ioannidis, J., Rubin, A.D.: Using the Fluhrer, Mantin, and Shamir attack to break WEP. In: Network and Distributed System Security Symposium (NDSS) (2002)Google Scholar
- 28.Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). In: ACM Transactions on Information and System Security (TISSEC), vol. 7(2) (2004)Google Scholar
- 29.Student. On the error of counting with a haemocytometer. Biometrika 5, 351–360 (1907)Google Scholar
- 30.Tews, E.: Attacks on the WEP protocol. Cryptology ePrint Archive (2007). http://eprint.iacr.org/2007/471.pdf
- 31.Tews, E., Weinmann, R.-P., Pyshkin, A.: Breaking 104 bit WEP in less than 60 seconds. In: Kim, S., Yung, M., Lee, H.-W. (eds.) WISA 2007. LNCS, vol. 4867, pp. 188–202. Springer, Heidelberg (2008) CrossRefGoogle Scholar
- 32.Thom, H.C.S.: The frequency of hail occurrence. Theoret. Appl. Climatol.
**8**, 185–194 (1957)Google Scholar - 33.Thom, H.C.S.: Tornado Probabilities. In: American Meteorological Society, pp. 730–736 (1963)Google Scholar
- 34.Vaudenay, S., Vuagnoux, M.: Passive–only key recovery attacks on RC4. In: Adams, C., Miri, A., Wiener, M. (eds.) SAC 2007. LNCS, vol. 4876, pp. 344–359. Springer, Heidelberg (2007) CrossRefGoogle Scholar
- 35.Whitaker, L.: On the Poisson law of small numbers. Biometrika
**10**, 36–71 (1914)CrossRefGoogle Scholar