Schneier on Security

I smell a sequel to the Nicholas Cage movie.

"The required computational effort is approximately 220 RC4 key setups"

That's 2 to the 20th power in the paper. While a million is still a very small number of key setups, it's still a lot more than 220.

I have problems with them saying that it would take a minute. The specific issue I have is gathering the 85,000 packets (to assure a crack at 90+%).

Unless you are forcing replies from the source, you can't sniff 80,000 packets in a minute. Heck, I can't get 85,000 packets from a 100 mbps connection without forcing replies.

We've seen wireless connections that are active all day (being used) with less than 80,000 packets.

The cracking of the key can probably be done in less than a minute, but getting the data can't be done that easily.

"On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute."

There is how you get the appropriate number of frames.

"On a IEEE 802.11g network, the number of frames required can be obtained by re-injection in less than a minute."

This captures an ARP request packet and repeatedly re-sends it, generating up to 3 new packets to capture. On my system ARP requests are 42 bytes and replies are 60 bytes so you could generate 85000 packets with 8.7MB of data xferred if you get one arp reply packet per arp sent. That'll be more than one second on 802.11g but less than two seconds probably.

David, they describe the method to get the frames, but it's simply taken from http://tapir.cs.ucl.ac.uk/bittau-wep.pdf where you can find a more detailed description.

Is there any practical software available using this method yet? Is there any planned?

@David:
Its way too easy with the right tools and right wireless card. I don't think I should necessarily mention them here, but they aren't hard to find.

There was a talk at Shmoocon '07 re: cracking WEP using sniffed packets and FPGAs (specialized circuit boards).

Remember what Bruce said, be careful in designing a cryptographic system, it will be with use for a long fscking time.

The Anonymous Pilot

I'm very familiar with forcing traffic and creating traffic, there are a *ton* of tools to do this.

What I was referring to was "passively" sniffing 85,000 frames.

Any time you inject packets something of yours is detectable, possibly the OS, the tool, etc.

If you want to crack it without letting anyone know, you need to do this "passively", and 85,000 packets is a long time when you are doing that.

You guys are like the bank robbers that are blowing up ATMs. Sure you get the money, but you leave a ton of evidence behind..... Not so good, IMHO.

@Anonymous
More info and a proof-of-concept implementation are available from the authors of the paper at http://www.cdc.informatik.tu-darmstadt.de/...

@David

If the goal is to crack a home network from the curb, who's going to be monitoring the wireless network for a flood of ARPs?

Even with a corporate network, is an attack of this sort likely to be noticed? Running a spoofed mac id and pounding the network for say 5-10 seconds (to spread it out a bit), is anyone going to notice that host A seemed excessively curious about host B (at the ARP level, not at the IP firewall level?)

come on folks, it's not like the title was "PASSIVELY breaking WEP in under a minute"

@David,
"""Any time you inject packets something of yours is detectable, possibly the OS, the tool, etc."""

I doubt that anyone still using WEP is going to be collecting, much less looking at, this sort of stuff.

Having such paper on WPA would be much more interesting :)

Well that is and old news but it come vorse to the people just change the system and go up to internet

Well, just for the record ... I live in Mexico, and it is VERY HARD to find a WPA secured network here ... It is either open, or WEP :-o. Call it paradise ;-)

I'm outside your house right now downloading p0rn.

in the paper they mention that looking at sites around Germany they found many still using WEP. In the UK there are many home networks with no encryption and many that use WEP as its the next choice on the list after none.

@Anonymous,

Good, when the music police come knocking down my door I'll say it was you ;-)

http://dir.salon.com/story/tech/feature/2004/05/...

"Dear Comcast,

I am so sorry. I had no idea that copyrighted works were being downloaded via my IP address; I have a wireless router at home and it's possible that someone may have been using my connection at the time. I will do my best to secure this notoriously vulnerable technology, but I can make no guarantee that hackers will not exploit my network in the future."

@Warez

but he lied, he did not "do my best to secure this", he deliberately removed all security. I agree it is a useful letter but, as we now know that any wireless security is at best a delay, he may as well leave it switched on and not lie.

@Rick
The intended letter reads "I *will* do my best to secure this", meaning that he will try and sort the problem out after he was informed of the infringement not that it was already secured.

I use WEP at home and will probably continue to for some time, for several reasons:

First, WEP is enough to keep the casual bandwidth poachers away, and my apartment building alone has at least two completely unsecured networks running, so I doubt anyone's going to make much of an effort to crack mine.

Second, I've got other controls - my wireless network is isolated from my desktop PCs by a firewall, so even if somebody finds my SSID, cracks my WEP key and hops on the network, they're not going to do anything more serious than leech a few kbps of bandwidth.

Finally and most importantly, the Nintendo DS doesn't support WPA. And I gots to have my Mario Kart!

A short but interesting note to those people who take the "better not secure WLAN at all" stand:
in some European countries court decisions have pointed out, that the person owning the access point is responsible for proper security. Neglecting this can result in liability for misuse of the access point, including illegal downloads tracked down by IP, hacking etc.
--> very bad idea not to secure wireless LAN properly, at least in Europe, you might as well shoot your own leg
Happy Easter

just simply, i do not see nothing new in that pdf :(, only collected information and putted together...