6

Most of us dealing with wireless security must have cracked a WEP key, and while doing that must have come across texts like this:

weak IVs, reveal more information about the secret part of the WEP key than others--about 9,000 weak IVs out of 16,000,000 possible ones.

What are these weak IVs? It would be great if someone enlightened me about how they reveal secret WEP keys? Can we somehow stop or slow down WEP cracking by avoiding usage of weak IVs?

Anders
  • 65,052
  • 24
  • 180
  • 218
Arjun sharma
  • 660
  • 3
  • 20
  • 1
    You might find [this answer](http://security.stackexchange.com/a/24795/52676) a bit helpful (for weak IV info), although it's not a complete answer to your question. – RoraΖ Oct 25 '16 at 12:40
  • 2
    weak ones are predictably generated ones, typically by lower power devices running older code. one can quickly try all WEP keys, weak or not. those known ones would get tried first, but the time savings is not deterministic. – dandavis Oct 25 '16 at 17:15
  • @dandavis plz elaborate a little – Arjun sharma Oct 25 '16 at 17:30

2 Answers2

2

The weak keys you are talking about are exploited by the FMS attack, as correctly pointed out by another user.

It would be great if someone enlightened me about how they reveal secret WEP keys?

It's not easy. Keep in mind this is a (relatively complex) cryptographic attack, it's not a simple dictionary attack or something like that.

WEP is (should we say was?) based on a cryptographic algorithm called RC4. The way RC4 works is the following:

1) starting from a key - in our case,a shared key concatenated with an IV - it computes an "internal state" S[i], which is a pseudorandom array of 256 8-bit values, through a Key Scheduling Algorithm (KSA);

2) this internal state is the input of a block (PRGA - Pseudo-Random Generation Algorithm) that generates one pseudo-random byte k[i];

3) the internal state is changed and fed again into the PRGA, which produces another pseudo-random byte k[i]+1. The sequence of pseudo-random bytes is known as keystream;

4) the message (plaintext) is XOR'd with the keystream. Because of the properties of the XOR operator, this is like XORing each pseudo-random byte of keystream with a byte of message. Indeed, that's what happens.

One thing you have to know about the XOR: it is always true that A ⊕ B ⊕ B = A.


The FMS attack works as follows.

Because WEP is used in Wi-Fi, which (for technical reasons not related to security) uses a particular type of header, the first byte of any message "protected" by WEP is known and is 0xAA (AA in hexadecimal). Applying the XOR property, and considering that every byte of the ciphertext is derived separately, we can get the first byte of keystream. Let m1 = 0xAA be the first byte of plaintext and c1 the first byte of ciphertext, the first byte of keystream is m1 ⊕ c1.

Remember that the (fixed) shared key is concatenated with the IV, which changes at every packet but is always known to the attacker (since it's transmitted in clear). As the shared key is constant, a key is weak if the IV is weak.

Let's focus now on the first three bytes of keystream K[0], K[1], K[2].

As the keystream starts with the IV, K[0,1,2] are (the only) three bytes of the IV, and as such are known. The attacker starts with these bytes and loads them into the KSA. If the IV is weak, the attacker can get a possible value of the fourth byte of the key. By repeating this procedure on several packets, the attacker can get a pretty good idea of the value of the 4th, 5th, bytes and so on.

What are these weak IVs?

As we saw, weak IVs are IVs which allow to get hints about the key, one byte at a time. These hints get more and more concrete as the attacker collects more and more packets.

More specifically, an IV is weak (in the sense of the FMS attack) if it is of some particular kind such as, for example, A+3::ff:X, where A is the byte of the key to be found, ff is 255 in decimal and X is an arbitrary 8-bit value.

Can we somehow stop or slow down WEP cracking by avoiding usage of weak IVs?

We can stop this attack by avoiding usage of weak IVs, but we cannot prevent WEP cracking at all. WEP is broken in many ways, most of which would work even if the underlying cryptographic algorithm wasn't broken (as RC4 is, for example through the FMS attack).

Do not use WEP, period. There's no reason to do that anymore.

forest
  • 65,613
  • 20
  • 208
  • 262
A. Darwin
  • 3,592
  • 2
  • 16
  • 27
0

Perhaps this explains what you are looking for: "Weaknesses in the Key Scheduling Algorithm of RC4", Scott Fluhrer, Itsik Mantin, and Adi Shamir

I found a copy here: http://www.crypto.com/papers/others/rc4_ksaproc.pdf

Tom K.
  • 7,965
  • 3
  • 30
  • 53
DaveM
  • 165
  • 5
  • 5
    Perhaps you can summarize the key findings of that paper regarding weak IVs and add them to your answer? The problem with posting links only is that your answer becomes irrelevant if the link ever dies. – Dan Landberg Jul 17 '17 at 18:35