The document discusses the WEP (Wired Equivalent Privacy) and WPA (Wi-Fi Protected Access) protocols, detailing their authentication, encryption methods, and vulnerabilities. It highlights weak points in WEP, such as poor key management and predictable initialization vectors, alongside various attacks like FMS, PTW, and ARP replay. WPA was introduced as a more secure replacement with enhancements like TKIP and AES, but also has known vulnerabilities exploited by attacks such as the Beck-Tews and Michael attacks.

1. WEP/WPA
Attacks
Huda Seyam
21/12/2019

2. 2
What is the WEP protocol?
• Stand for “Wired Equivalent Privacy” or “Wireless Encryption Protocol”
• The WEP protocol was introduced with the original 802.11 standard as a
means to provide authentication and encryption to wireless LAN
implementations.

3. 3
WEP Authentication
• Two methods of authentication can be used with WEP: Open System
authentication and Shared Key authentication.
• the WEP key is used for authentication in a four-step challenge-response
handshake:
1. The client sends an authentication request to the Access Point.
2. The Access Point replies with a clear-text challenge.
3. The client encrypts the challenge-text using the configured WEP key
and sends it back in another authentication request.
4. The Access Point decrypts the response. If this matches the
challenge text, the Access Point sends back a positive reply.
• After the authentication and association, the pre-shared WEP key is also
used for encrypting the data frames using RC4.

4. 4

5. 5
WEP Encryption
• It is based on the Rivest Cipher 4 (RC4) stream cypher with a Pre-shared
Secret Key (PSK) of 40 or 104 bits, depending on the implementation. A
24-bit pseudorandom Initialization Vector (IV) is concatenated with the
pre-shared key to generate the per-packet keystream used by RC4 for
the actual encryption and decryption process. Thus, the resulting
keystream could be 64 or 128 bits long.
• In the encryption phase, the keystream is encrypted with the XOR cypher
with the plaintext data to obtain the encrypted data. While in the
decryption phase, the encrypted data is XOR-encrypted with the
keystream to obtain the plaintext data. The encryption process is shown
in the following diagram.

6. WEP Encryption
6

7. Why WEP is weak ?
7
• No key management
– One key for all
• IV is just 24 bits and transmitted as clear text
– 24 bit keys allow for around 16.7 million
possibilities. Sounds a lot, but on a busy network
this number can be achieved in a few hours
• IV values can be reused
– In fact the standard does not specify that the value
needs to change at all. Reusing keys is a major
cryptographic weakness in any security system
– If enough frames are collected based on the same
IV, anyone can determine the shared values among
them, that is the keystream or the shared secret key.
• No standard procedure for IV generation
• First few key stream bytes are predictable in RC4
algorithm with weak IVs

8. FMS attacks on WEP
• The first well-known attack against WEP was the Floorer,
Manton, and Shamir (FMS) attack back in 2001. The FMS
attack relies on the way WEP generates the keystreams and on the
fact that it also uses weak IV to generate weak keystreams, making
it possible for an attacker to collect a sufficient number of packets
encrypted with these keys, to analyze them, and recover the key.
• The number of IVs to be collected to complete the FMS attack is
about 250,000 for 40-bit keys and 1,500,000 for 104-bit keys.
• The FMS attack has been enhanced by Kurek, improving its
performance.
8

9. PTW attacks on WEP
• In 2007, Pushkin, Taws, and Weinman (PTW) extended
Andreas Klein’s research and improved the FMS attack, significantly
reducing the number of IVs needed to successfully recover the WEP
key.
• Indeed, the PTW attack does not rely on weak IVs such as the FMS
attack does and is very fast and effective. It is able to recover a 104-
bit WEP key with a success probability of 50% using less than
40,000 frames and with a probability of 95% with 85,000 frames.
• The PTW attack is the default method used by Aircrack-ng to crack
WEP keys.
9

10. ARP Request replay attacks on WEP
• Both FMS and PTW attacks need to collect quite a large number of frames
to succeed and can be conducted passively, sniffing the wireless traffic on
the same channel of the target AP and capturing frames. The problem is
that, in normal conditions, we will have to spend quite a long time to
passively collect all the necessary packets for the attacks, especially with the
FMS attack.
• To accelerate the process, the idea is to reinject frames in the network to
generate traffic in response so that we can collect the necessary IVs more
quickly. A type of frame that is suitable for this purpose is the ARP request
because the AP broadcasts it, each time with a new IV. As we are not
associated with the AP, if we send frames to it directly, they are discarded
and a de-authentication frame is sent. Instead, we can capture ARP
requests from associated clients and retransmit them to the AP.
• This technique is called the ARP Request Replay attack and is also
adopted by Aircrack-ng for the implementation of the PTW attack.
10

11. chop-chop attack
A chop-chop attack works
by taking one byte of data
from a WEP encrypted
packet, substituting values
for that byte, and
recalculating the encryption
checksum. The modified
packets are then sent to an
access point, which simply
discards them until a valid
checksum is eventually
substituted by the attacker
11

12. 12
What is the WPA protocol?
• Stands for "Wi-Fi Protected Access“
• Wi-Fi Protected Access (WPA), became available in 2003, and it was the
Wi-Fi Alliance’s direct response and replacement to the increasingly
apparent vulnerabilities of the WEP encryption standard. The most
common WPA configuration is WPA-PSK (Pre-Shared Key). The keys
used by WPA are 256-bit, a significant increase over the 64-bit and 128-
bit keys used in the WEP system.
• WPA included message integrity checks (to determine if an attacker had
captured/altered packets passed between the access point and client) and
the Temporal Key Integrity Protocol (TKIP). TKIP employs a per-packet
key system that was radically more secure than the fixed key system used
by WEP. The TKIP encryption standard was later superseded by
Advanced Encryption Standard (AES).

13. 13
Back and Taws’ Attack
• Released in 2008, exploits weakness in TKIP, allowing an attacker to
decrypt ARP packets and to inject traffic into a network, enabling a DoS
or ARP poisoning.
• Attack “requires” Quality of Service (QoS) to be enabled (practical aspect).
That allows several channels to be used. Each channel has its own TSC
(TKIP Sequence Counter). Channel 0 holds most of the traffic, other
channels will have lower TSC. Attack requires Key Renewal Interval to be
longer than 15 min (time needed to decrypt an ARP packet).
1. Attacker de-authenticates a station, then captures ARP packet.
2. Next, he’ll perform a modified Chop-chop attack to recover ICV
(Integrity Check Value) and MIC (Message Integrity Check )of the
packet.
3. With that, attacker needs to guess the last part of the packet, IP
address.
4. Finally, he reverses MICHAEL algorithm and get MIC key. With that
he can now inject custom packet into the network.

14. 14
WPA Attacks
• Ohigashi-Morii Attack
– From 2009, an improvement of the Beck-Tews attack on WPA-
TKIP, more efficient for all modes of WPA and not just those
with QoS features.
• Michael Attack
– In 2010, Beck found that if the internal state of Michael reaches a
certain point, the Michael algorithm resets. With that, an
attacker can inject some text in a packet, add a string that resets
Michael algorithm. Packet is changed but the Michael’s result
remains correct. Apparently, requirements of this attack are even
tighter compared to “Beck and Tews”.

15. 15
References
• https://hub.packtpub.com/what-we-can-learn-
attacks-wep-protocol/
• https://en.wikipedia.org/wiki/Wired_Equivalent_Pr
ivacy
• https://www.youtube.com/watch?v=lmXSWnZ7b_M
• https://www.cyberpunk.rs/wireless-security-
protocols-wep-wpa-wpa2-and-wpa3