Airsnort Algorithm
I just read a recent ACM paper: A key Recovery Attack on the 802.11b Wired Equivalent Privacy Protocol.
It presents 4 improvement on recovering WEP key. the author acclaims that it can reduce pkts needed for 128-bit key from 6million to about 1million. Those four improvements are:
1. Test all IVs i/o only weak IVs. Which is (S[1]>|CurrentKeyGuess|+1 and S[1]+S[S[1]]=|CurrentKeyGuess|+1
2. testing if the WEP checksum on a decrypted packet turned out correctly (I don't quite understand this part).
3. Check if a key value corresponded to an ASCII letter, number or punctuation symbol. (which indicates a human memorable key)
4. Special resolved cases.
My feeling is that Airsnort has already the implementation of 1 and 2 (tryIV in RC4.c). But I am not quite sure about this. Can anyone provide some information? Any discussion is welcome !
|