Anderson - 2004-08-24

I just read a recent ACM paper: A key Recovery Attack on the 802.11b Wired Equivalent Privacy Protocol.

It presents 4 improvement on recovering WEP key. the author acclaims that it can reduce pkts needed for 128-bit key from 6million to about 1million. Those four improvements are:

1. Test all IVs i/o only weak IVs. Which is (S[1]>|CurrentKeyGuess|+1 and S[1]+S[S[1]]=|CurrentKeyGuess|+1

2. testing if the WEP checksum on a decrypted packet turned out correctly (I don't quite understand this part).

3. Check if a key value corresponded to an ASCII letter, number or punctuation symbol. (which indicates a human memorable key)

4. Special resolved cases.

My feeling is that Airsnort has already the implementation of 1 and 2 (tryIV in RC4.c). But I am not quite sure about this. Can anyone provide some information? Any discussion is welcome !