Smashing WEP in A Passive Attack

In this paper, we report extremely fast and optimised active and passive attacks against the old IEEE 802.11 wireless communication protocol WEP. This was achieved through a huge amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimisation of all the former known attacks and methodologies against RC4 stream cipher in WEP mode. We support all our claims by providing an implementation of this attack as a publicly available patch on Aircrack-ng. Our new attacks improve its success probability drastically. We adapt our theoretical analysis in Eurocrypt 2011 to real-world scenarios and we perform a slight adjustment to match the empirical observations. Our active attack, based on ARP injection, requires 22 500 packets to gain success probability of 50% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3% success rate. Furthermore, we describe very fast passive only attacks by just eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27 500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37 500), which is a huge improvement.We believe that our analysis brings on further insight to the security of RC4.

Presented at:
20th International Workshop on Fast Software Encryption, Singapore, March 10-13, 2013

 Record created 2013-06-10, last modified 2018-03-17

Download fulltext

Rate this document:

Rate this document:
(Not yet reviewed)