原始出处:
http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
信息来源:邪恶八进制信息安全团队(
www.eviloctal.com)
WEP is a protocol for securing wireless LANs. WEP stands for "Wired Equivalent Privacy" which means it should provide the level of protection a wired LAN has. WEP therefore uses the RC4 stream to encrypt data which is transmitted over the air, using usually a single secret key (called the root key or WEP key) of a length of 40 or 104 bit.
A history of WEP and RC4
WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir
published an analysis of the RC4 stream cipher. Some time later, it was
shown that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK
improved the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.
In 2005, Andreas Klein
presented another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.
Our attack
We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like
deauth and
ARP re-injection, 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.
Countermeasures
We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.
How the attack works
A
paper describing the details and methods we used in our attack is available on the
IACR ePrint server.
Implementation
We implemented a proof-of-concept of our attack in a tool called
aircrack-ptw. It should be used together with the aircrack-ng toolsuite.
Reproduction of our results
Our tool is quite similar to
aircrack-ng. You can find a very good tutorial on the
aircrack-ng homepage. For usage with our tool, you need to make some little changes.
[li]In Step 3, you MUST NOT use the parameter -ivs. Just skip this parameter, the other command line arguments still apply. [/li][li]In Step 5, you should use aircrack-ptw instead of aircrack-ng. ls -la output*.cap will give you a list of capture files airodump-ng has created. Usually, if you did not interrupt airodump-ng, there should be only one file named output-01.cap. Just start aircrack-ptw output-01.cap to get the key. If aircrack-ptw was not successfull, wait a few seconds and start it again. [/li]
Questions and answers
Does aircrack-ptw work with arbitrary packets?
No, aircrack-ptw currently only works with ARP requests and ARP responses. Using methods like
ARP re-injection, it is usually not a problem to generate a sufficient amount of ARP traffic.
In a future version,
aircrack-ptw could be extended to work with other packets too.
Does aircrack-ptw work with 256 bit keys?
Currently,
aircrack-ptw does not support 256 bit WEP.
Does aircrack-ptw work on WPA1 or WPA2 too?
No. WPA is a complete redesign. Although the TKIP specified for WPA still uses RC4 as encryption algorithm, related-key attacks are not possible in this case since the per-packet keys do not share a common suffix. Furthermore, re-injection attacks on WPA protected networks will not work: WPA requires multiple packets with the same IV to be discarded. Although no cryptographic attacks against WPA1 are known, we recommend WPA2 over WPA1 if you have the choice.
Does aircrack-ptw work against WEPplus?
This has not been tested due to lack of equipment supporting WEPplus. Since WEPplus only avoids the weak IVs of the original FMS attack, we foresee no problems in applying the attack against WEPplus.
Does aircrack-ptw work against Dynamic WEP?
This has not been tested as well. In principle we expect our attack to work on networks protected by Dynamic WEP. Since Dynamic WEP allows for re-keying, the attack will provide a key that may only be valid for a certain time frame. After the key has expired, the attack needs to be performed again.
Any additional information?
We are going to give a talk about
aircrack-ptw at the
easterhegg 2007 event in Hamburg.
I cannot compile it!
Please make sure that you got the libpcap developement files installed. On debian or ubuntu, you can do this with
apt-get install libpcap0.8-dev.
Under which license is aircrack-ptw released?
Copyright (c) 2007 Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Who we are
We (Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann) are cryptographic researchers at the cryptography and computer algebra group at the technical university Darmstadt in Germany. Head of the group is Prof. Dr. Dr. Johannes Buchmann.
Contact
Please send questions to [url=mailto:aircrack-ptw@cdc.informatik.tu-darmstadt.de]
aircrack-ptw@cdc.informatik.tu-darmstadt.de[/url]
