Kleins and Ptw Attacks on Wep

8/6/2019 Kleins and Ptw Attacks on Wep

1/10

TTM4137 Wireless Security

Kleins and PTW Attacks on WEP

Anton Stolbunov

NTNU, Department of Telematicsversion 1, September 7, 2009

Abstract

These notes should help for an in-depth understanding of the pa-per [1] by Klein and [2] by Tews, Weinmann and Pyshkin.

1 Notation

n 256;S array containing the numbers {0,...,n 1} in some order. Each

number is present only once. S is also called a permutation;Si RC4 internal permutation S after the i-th RC4 round. 1 i n

corresponds to the key setup algorithm, while i > n is the keystream generation algorithm;

ji RC4 internal variable j after the i-th RC4 round;K RC4 key;l length ofK in bytes. Equals 16 for the 104-bit Wired Equivalent

Privacy (WEP);X RC4 key stream;Rk WEP root key. 13 bytes for the 104-bit WEP;IV WEP per-packet initialization vector. 3 bytes; assignment; swap;

bitwise XOR; for all;iff if and only if;

|| concatenation.Indexing in arrays starts from 0, i.e. the first element ofS is S[0]. All for-

mulas are implicitly written modulo n, except for the values of probabilities.In Sections 4 and 5 we present attacks on the 104-bit WEP, i.e. l = 16.

1


2/10

K

RC4

X

message //

// ciphertext

Figure 1: RC4 stream cipher.

2 RC4 Stream Cipher

Fig. 1 and Algorithms 1 and 2 illustrate the RC4 encryption.

Algorithm 1 RC4 key setup

1: S (0, 1, ..., 255)2: j 03: for i 0 to 255 do4: j j + S[i] + K[ i mod l ]5: S[i] S[j]6: end for

7: i 08: j 0

Algorithm 2 RC4 key stream generation

1: i i + 12: j j + S[i]3: S[i] S[j]4: return S[ S[i] + S[j] ]

3 Kleins Correlation in RC4

Throughout this section i is a positive integer less than n.

3.1 Kleins Theorem

We present a simplified version of [1, Theorem 1]. The theorem is relevantnot only to RC4, as it applies to permutations in general.

Theorem 1. LetS be a random permutation1 of the numbers {0,...,n 1}.

1S is random means that it is picked from the n! possible permutations such that theprobability of picking each one is 1/n!.

2


3/10

Then for all integers i,x,c {0,...,n 1}, the following holds:

Pr ( S[ S[i] + x ] + x = i ) =2

n, (1)

Pr ( S[ S[i] + x ] + x = c ) =n 2

n(n 1), where c = i. (2)

Proof. To show (1) we will count the total number of different permutationsS that satisfy the condition under the Pr sign. Consider the following twodisjoint cases:Case 1:

S[i] = i x . (3)

It follows that i = S[i] + x and, substituting the index i in (3), we getS[ S[i] + x ] = i x. This is equivalent to condition (1), so we are onlyleft with one condition. (3) puts a restriction on one element S[i]. Theremaining n 1 elements can take any of the remaining n 1 values. Thusthe total number of permutations satisfying (3) is (n 1)!.Case 2:

S[i] = i x . (4)

We now have two conditions that should be met simultaneously. Condi-tion (1) leaves only one possibility for the element S[ S[i] + x ], leaving theremaining elements unrestricted. Because of (4), we have that S[i] + x = i,so conditions (1) and (4) apply to elements with different indices. Condi-

tion (4) leaves n 1 possibilities for the value of S[i]. The remaining n 2elements of S can take any of the remaining n 2 unused values. ThusCase 2 incorporates a total of (n 1)(n 2)! = (n 1)! permutations.

We have shown that Cases 1 and 2 allow a total of 2(n1)! different per-mutations. Since S is picked at random from n! possibilities, the probabilitythat we hit either of the two cases is

2(n 1)!

n!=

2

n,

which proves (1).To show (2) we will again count possible permutations. We first show

that (5) holds. Suppose the opposite is true: S[i] = i x. Then S[i] + x = i,and, substituting the index in (2), we get that S[i] + x = c. But c = i, soS[i] + x = i, what contradicts our assumption. Thus

S[i] = i x . (5)

Since S[i] + x = i, conditions (2) and (5) apply to elements with differentindices in S. Condition (2) leaves one possibility for the value of the elementS[ S[i] + x ]. This value is c x, and it is different from i x, because c = i.So when it comes to the element S[i], it cannot take the value cx because it

3


4/10

is already used, and cannot take the value i x because of the condition (5).

The element S[i] is only left with n 2 possibilities. The remaining n 2elements can take any of the remaining n 2 values. Thus the total numberof permutations satisfying (2) is (n2)(n2)!. This gives us the probability

(n 2)(n 2)!

n!=

n 2

n(n 1).

3.2 Equation (10)

Observe that in Lines 4 and 5 of Algorithm 1 the current round number isi + 1. Thus we can write

ji+1 = ji + Si[i] + K[ i mod l ] , (6)

Si+1[i] = Si[ji+1] . (7)

After substituting ji+1 in (7) with the value from (6) we get

Si+1[i] h

= Si[ji + Si[i] + K[ i mod l ] g

] . (8)

Now denote g and h as pictured in (8). Since permutations are invertible,we have that

S[g] = h iff S1[h] = g , (9)

so we can rewrite (8) as

S1i [ Si+1[i] ] = ji + Si[i] + K[ i mod l ] ,

orK[ i mod l ] = S1i [ Si+1[i] ] (ji + Si[i]) . (10)

3.3 Equation (13)

Observe from Line 4 of Algorithm 2 that after a round number i + n thefollowing holds:

Si+n[ Si+n[i] + Si+n[ji+n] ] = X[i 1] . (11)

In (1) choose S to be Si+n and x to be Si+n[ji+n]. Theorem 1 implies that

Pr ( Si+n[ Si+n[i] + Si+n[ji+n] ] + Si+n[ji+n] = i ) =2

n. (12)

Combining (11) and (12) we get

Pr( Si+n[ji+n]

= i X[i 1]

) =2

n. (13)

4


5/10

3.4 Equation (16)

We now use (2) substituting, as before, S with Si+n and x with Si+n[ji+n]:

c = i, Pr ( Si+n[ Si+n[i] + Si+n[ji+n] ] + Si+n[ji+n] = c ) =n 2

n(n 1)(14)

Combining (11) and (14) we get

c = i, Pr ( X[i 1] + Si+n[ji+n] = c ) =n 2

n(n 1).

Now add i to each side and rearrange the terms:

c = i, Pr ( Si+n[ji+n] c + i = i X[i 1] ) =

n 2

n(n 1) . (15)

After denoting = Si+n[ji+n] c + i ,

we notice that c = i iff c = Si+n[ji+n] + i = i iff = Si+n[ji+n], andthus (15) can be written as

= Si+n[ji+n]

, Pr( i X[i 1]

= ) =n 2

n(n 1). (16)

3.5 Equation (20)

Consider Algorithm 1 where Line 4 is replaced with

j rand(n) . (17)

This is a rude approximation2 of the original algorithm, but it will let usderive some important probability estimates. On each round of this modifiedkey setup algorithm, S[i] is swapped with an element S[j], where j is nowrandom. In particular, during the round number i + 2, the probability ofthe event j = i equals 1/n, and so the probability that j = i is 1 1/n.Thus Si+1[i] stays unchanged during the (i + 2)nd round with probability

1 1/n. We write this fact as

Pr ( Si+1[i] = Si+2[i] ) = 1 1

n.

The same reasoning applies to subsequent rounds, i.e. the probability thatSi+1[i] stays unchanged during the next k rounds is (1 1/n)

k, k < n i.

2If the key K consisted of n independent random bytes, this approximation would beprecise in terms of probability distributions. But since l < n, we should expect some im-precision in final results, which will show through an increased number of packets required

for the WEP attack in practice.

5


6/10


7/10

Consider (10) that holds unconditionally, and replace the term Si+1[i] with

the value from (21). Since the equality under the Pr sign in (21) holds withthe given probability, we can write

Pr

K[ i mod l ] = S1i [ i X[i 1] ] (Si[i] + ji)

1.36

n. (22)

Note that, according to Algorithm 1, for i < l, the key bytes K[0],K[1], ..., K[i 1] completely determine the permutation Si. Therefore(22) expresses the dependency between the i-th key byte, the i precedingkey bytes and the (i 1)st key stream byte. We see a severe probabilitydeviation from the mean value 1/n. This fact will be used in our attack toobtain information about the value of the key byte K[i].

4 Kleins Attack on WEP

The payload field in the 802.11 data frames MAC protocol data unit (MPDU)consists of:

IV , padding, Rk s ID, plaintext

data, ICV encrypted

,

where IV is a 3-byte initialization vector, Rks ID is a 2-bit root key identifierand ICV is the integrity check value. The data field carries packets fromhigher layers. The encryption is performed by RC4 using the key

K = IV || Rk .

Note that the secret root key Rk is prepent with an IV, which is transmittedover the air in clear text. The IV is different for each packet (which is notalways true in practice).

Assume we have captured a packet where we know the first 15 bytes ofthe data field in clear text3. We compute 15 bytes of the RC4 key streamas follows (see also Fig. 1):

X[i] = ciphertext[i] data[i] , i {0, 1, ..., 14} .

Since we know the value of IV = (K[0], K[1], K[2]), we can run the firstthree rounds of the RC4 key setup algorithm, and thus obtain S3 and j3.From S3 it is also straightforward to compute S

13 using (9). Now write (22)

for i = 3:

Pr( K[3] = S13 [ 3 X[2]] (S3[3] + j3) k0

) 1.36

n.

3To recover a 13-byte Rk we do not actually need the first 2 bytes, but only need the

following 13 bytes of the data.

7


8/10

We compute the value k0 and store it as a candidate for Rk[0]. Note that

with a rather high probability 11.36/n, the byte Rk[0] can have a value dif-ferent from k0. Thus we need to collect more evidence about Rk[0]. Luckily,this can be done using packets that are transmitted between the same sta-tions (thus the same Rk4), but have different IVs. Each new IV provides uswith a new experiment outcome, whereas an observation of same IVs givesno new information whatsoever, since same IVs yield identical three firstrounds of the key setup Algorithm 1. When enough votes are collected,we can choose the highest rated value of k0. Klein estimates the number ofunique IVs sufficient to recover the byte Rk[0] to be 25000.

After choosing the most frequent k0, we let K[3] = k0, what allows us torun the fourth round of the key setup algorithm for each given IV. Using the

same collection of captured packets we now carry out similar calculations forthe byte Rk[1]. By this approach we find all the bytes of Rk and finally testit by a trial decryption of some ciphertext for which we know the plaintext,or a part of it.

In a case when too few unique IVs were used, the right candidate forsome Rk[i] might not be the most frequent one. Then we have to try thesecond, third and so on, most frequent candidates for Rk[i], recomputingthe subsequent key bytes Rk[i + 1], ..., Rk[l 1] for each new Rk[i]. Thisiterative try-and-fail process is repeated until the correct root key is found.Note the high computational cost of correcting falsely guessed key bytes inthis approach.

5 PTW Improved Key Calculation

Tews, Weinmann and Pyshkin extend the Kleins attack such that it ispossible to compute key bytes independently of each other.

Consider Line 4 of Algorithm 1 during an (i + 3)rd round, for somei n 3:

ji+3 = ji+2 + Si+2[i + 2] + K[ i + 2 mod l ] . (23)

Similarly the (i + 2)nd round yields

ji+2 = ji+1 + Si+1[i + 1] + K[ i + 1 mod l ] ,

and substituting ji+2 in (23) gives

ji+3 = ji+1 +i+2

m=i+1

Sm[m] +i+2

m=i+1

K[ m mod l ] .

4We assume that the root key is not changed during the attack, what is very likely to

be true in practice.

8


9/10

After doing this substitution i 2 times we get

ji+3 = j3 +i+2m=3

Sm[m] +i+2m=3

K[ m mod l ] . (24)

Now write (22) replacing i with i + 3:

Pr

K[ i + 3 mod l ] = S1i+3[ i + 3 X[i + 2] ] (Si+3[i + 3] + ji+3)

1.36

n,

and replace the rightmost term ji+3 with the one from (24). After regroupingof terms we get:

Pr(

i+3m=3

K[ m mod l ] i

= S1i+3[ i + 3 X[i + 2 ] ] (j3 +

i+3m=3

Sm[m]) ) 1.36

n .

After denoting i as pictured above, the last equation becomes

Pr

i = S

1i+3[ i + 3 X[i + 2] ] (j3 +

i+3m=3

Sm[m])

1.36

n. (25)

The right side of the equality under the Pr sign is dependent on the firsti + 3 key setup rounds. The authors of the PTW attack note that witha rather high probability elements in S that are used in this expression

stay unchanged since the third round of the key setup algorithm. Thus wecan replace them with the corresponding elements in S3 and still have asignificant probability deviation for small is [2, Equations 7 and 8)]:

Pr( i = S13 [ i + 3 X[i + 2] ] (j3 +

i+3m=3

S3[m]) Ai

) >1

n. (26)

The PTW attack proceeds as follows. For each captured packet we runthe first three rounds of the RC4 key setup algorithm and compute the

values Ai for all i {0, 1, ..., 12}. Every new IV yields new (possibly repeat-ing) thirteen values Ai. When a sufficient number of packets is analysed,we choose the most frequent candidates for Ais and assign them to thevariables i for all i {0, 1, ..., 12}. The root key bytes are then obtainedusing

Rk[0] = 0; Rk[i] = i i1 , i {1, ..., 12} .

The root key is then checked for correctness by a trial decryption. If itis wrong, we choose less frequent candidates for is and try again. Ascompared to Kleins attack, this approach does not require recalculation ofstatistics for rightmost key bytes every time we correct a falsely guessed i.

9


10/10

References

[1] Andreas Klein. Attacks on the RC4 stream cipher. Des. Codes Cryptog-raphy, 48(3):269286, 2008.

[2] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104bit WEP in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung-Woo Lee, editors, WISA, volume 4867 of Lecture Notes in ComputerScience, pages 188202. Springer, 2007.

10

Documents

Kleins and Ptw Attacks on Wep