230 likes | 426 Views
WEP C racked with Aircrack. Advisor: Dr. Quincy Wu Speaker: Hui - Hsiung Chung Date: 2010-09-21. Outline. WEP RC4 How to Crack WEP Reference. WEP. WEP Wired Equivalent Privacy 64 bits and 128 bits 24 bits IV(Initialization Vector) 128 bits
E N D
WEP Cracked with Aircrack • Advisor: Dr. Quincy Wu • Speaker: Hui - Hsiung Chung • Date: 2010-09-21
Outline • WEP • RC4 • How to Crack WEP • Reference
WEP • WEP • Wired Equivalent Privacy • 64 bits and 128 bits • 24 bits IV(Initialization Vector) • 128 bits • 26 hexadecimal characters or 13 ASCII characters • 64 bits • 10 hexadecimal characters or 5 ASCII characters • CRC • WPA • Wi-Fi Protected Access
RC4 • Rivest Cipher 4 • Designed By Ron Rivest • RSA • Ron Rivest • Adi Shamir • Leonard Adleman • KSA and PRGA
The Algorithms of RC4 (1/2) • KSA • Key Schedule Algorithm K[] =Key Array Initialization: For i = 0 to N-1 S[i]=i j = 0 Scatter: For i = 0 to N-1 j =j + S[i] + K[ i mod L ] Swap ( S[i] , S[j] )
The Algorithms of RC4 (2/2) • PRGA • Pseudo Random Generation Algorithm Loop: i = i + 1 j = j + S[i] Swap( S[i],S[j] ) Output: S[ S[i]+S[j] ] Initialization: i = 0 j = 0
CRC • Cyclic Redundancy Check • Based on Binary Division • Calculate Data Checksum before Transmit ,and then Check the Data is the same after Transmit • Example
Shortcomings of WEP • Repeated Use the Key Stream • Small IV Value • 2^24 = 1,677,216 • Every 5134 Packets Happened Collision(Birthday Paradox) • IV Value is a Plain Text • Unreliable Checksum Value
WEP Cracking Procedures(1/2) • IV Collision • Collecting IV Packets • Find Two Same IV Packets • Use SNAP Header’s First Byte and XOR Operation to Find the Key
Configure Capturing • A wireless NIC with monitor mode AP channel
Beginning to Capture IV Packets APs Packets with IVs
Configure Cracking IVs APs Target AP
Successfully Cracking Spending Time IVs
Conclusion • WEP Encryption • 64-bits • 250,000 IVs • Less than 3 hours • 128-bits • 580,000 IVs • Less than 6 hours
Reference • Scott Fluhrer, Itsik Mantin and Adi Shamir, Weaknesses in the Key Scheduling Algorithm of RC4,Selected Areas in Cryptography 2001, pp1 – 24 • 戴志坤, 楊中皇,無線網路安全技術之分析與偵測分析系統之設計與實現,TANET 2006 • 黃定宇、林韓禹、鄭家明、 葉義雄 , Optimized WEP Protocol , NCS 2007
CRC Example Quotient ………. 1001,1011,1101,1000 Back
Birthday Paradox • What Probability Does Every Q(H) People Have the Same Birthday? • Let Probability is 50% ( Collision Rate) • Let H is equal to 365 • Formula: • Q(H):23.9 Back
SNAP • SubNetwork Access Protocol • IEEE Defined • Support the Coexistence of Multiple Standard on 802.2 LLC(Logical Link Control) High-Level Protocol High-Level Protocol LLC LLC MAC MAC Physical Layer Physical Layer Back