Breaking 104 Bit WEP in Less Than 60 Seconds

Tews, Erik; Weinmann, Ralf-Philipp; Pyshkin, Andrei

doi:10.1007/978-3-540-77535-5_14

Erik Tews⁴,
Ralf-Philipp Weinmann⁴ &
Andrei Pyshkin⁴

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 4867))

Included in the following conference series:

International Workshop on Information Security Applications

1266 Accesses
88 Citations
3 Altmetric

Abstract

We demonstrate an active attack on the WEP protocol that is able to recover a 104-bit WEP key using less than 40,000 frames with a success probability of 50%. In order to succeed in 95% of all cases, 85,000 packets are needed. The IV of these packets can be randomly chosen. This is an improvement in the number of required frames by more than an order of magnitude over the best known key-recovery attacks for WEP. On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute. The required computational effort is approximately 2²⁰ RC4 key setups, which on current desktop and laptop CPUs is negligible.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Chapter: USD 29.95; Price excludes VAT (USA)

eBook: USD 39.99; Price excludes VAT (USA)

Softcover Book: USD 54.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

References

Bittau, A., Handley, M., Lackey, J.: The final nail in WEP’s coffin. In: IEEE Symposium on Security and Privacy, pp. 386–400. IEEE Computer Society Press, Los Alamitos (2006)
Google Scholar
Borisov, N., Goldberg, I., Wagner, D.: Intercepting mobile communications: the insecurity of 802.11. In: ACM MobiCom 2001, pp. 180–189. ACM Press, New York (2001)
Google Scholar
Chaabouni, R.: Break WEP faster with statistical analysis. Technical report, EPFL, LASEC (June 2006), http://lasecwww.epfl.ch/pub/lasec/doc/cha06.pdf
Dörhöfer, S.: Empirische Untersuchungen zur WLAN-Sicherheit mittels Wardriving. Diplomarbeit, RWTH Aachen (September 2006) (in German)
Google Scholar
Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)
Chapter Google Scholar
Hulton, D. (h1kari).: bsd-airtools, http://www.dachb0den.com/projects/bsd-airtools.html
Klein, A.: Attacks on the RC4 stream cipher. Designs, Codes and Cryptography (submitted, 2007)
Google Scholar
KoreK. chopchop (experimental WEP attacks) (2004), http://www.netstumbler.org/showthread.php?t=12489
KoreK. Next generation of WEP attacks (2004), http://www.netstumbler.org/showpost.php?p=93942&postcount=35
Maitra, S., Paul, G.: Many keystream bytes of RC4 leak secret key information. Cryptology ePrint Archive, Report2007/261(2007), http://eprint.iacr.org/
Ohigashi, T., Kuwakado, H., Morii, M.: A key recovery attack on WEP with less packets (2007)
Google Scholar
Ozasa, Y., Fujikawa, Y., Ohigashi, T., Kuwakado, H., Morii, M.: A study on the Tews, Weinmann, Pyshkin attack against WEP. In: IEICE Tech. Rep., Hokkaido, July 2007. ISEC2007-47, vol. 107, pp. 17–21 (2007) Thu, Jul 19, 2007 - Fri, Jul 20 : Future University-Hakodate (ISEC, SITE, IPSJ-CSEC)
Google Scholar
Plummer, D.C.: RFC 826: Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Ethernet address for transmission on Ethernet hardware (November 1982)
Google Scholar
Postel, J.: Internet Protocol. Request for Comments (Standard) 791, Internet Engineering Task Force (September 1981)
Google Scholar
Stubblefield, A., Ioannidis, J., Rubin, A.D.: A key recovery attack on the 802.11b wired equivalent privacy protocol (WEP). ACM Transactions on Information and System Security 7(2), 319–332 (2004)
Article Google Scholar
The Aircrack-NG team. Aircrack-ng suite (2007), http://www.aircrack-ng.org
Vaudenay, S., Vuagnoux, M.: Passive-only key recovery attacks on RC4. In: Selected Areas in Cryptography 2007. LNCS, Springer, Heidelberg (to appear, 2007)
Google Scholar
Wi-Fi Alliance. Wi-Fi Protected Acccess (WPA) (2003), http://www.wi-fi.org

Download references

Author information

Authors and Affiliations

TU Darmstadt, FB Informatik, Hochschulstrasse 10, 64289, Darmstadt, Germany
Erik Tews, Ralf-Philipp Weinmann & Andrei Pyshkin

Authors

Erik Tews
View author publications
You can also search for this author in PubMed Google Scholar
Ralf-Philipp Weinmann
View author publications
You can also search for this author in PubMed Google Scholar
Andrei Pyshkin
View author publications
You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

Department of Industrial Engineering, KAIST, 373-1, Guseong-dong, Yuseong-gu, 305-701, Daejeon, Korea
Sehun Kim
RSA Labs, EMC Corp. and Department of Computer Science, Columbia University,, USA
Moti Yung
Div. Computer Information of Software, Hanshin University, 411, Yangsan-dong, 447-791, Osan, Gyunggi, South Korea
Hyung-Woo Lee

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Tews, E., Weinmann, RP., Pyshkin, A. (2007). Breaking 104 Bit WEP in Less Than 60 Seconds. In: Kim, S., Yung, M., Lee, HW. (eds) Information Security Applications. WISA 2007. Lecture Notes in Computer Science, vol 4867. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-77535-5_14

Download citation

DOI: https://doi.org/10.1007/978-3-540-77535-5_14
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-77534-8
Online ISBN: 978-3-540-77535-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics