TTM4137 Wireless Security

Kleins and PTW Attacks on WEP

Anton Stolbunov
NTNU, Department of Telematics
version 1, September 7, 2009
Abstract
These notes should help for an in-depth understanding of the pa-
per [1] by Klein and [2] by Tews, Weinmann and Pyshkin.
1 Notation
n 256;
S array containing the numbers {0, ..., n 1} in some order. Each
number is present only once. S is also called a permutation;
S
i
RC4 internal permutation S after the i-th RC4 round. 1 i n
corresponds to the key setup algorithm, while i > n is the key
stream generation algorithm;
j
i
RC4 internal variable j after the i-th RC4 round;
K RC4 key;
l length of K in bytes. Equals 16 for the 104-bit Wired Equivalent
Privacy (WEP);
X RC4 key stream;
Rk WEP root key. 13 bytes for the 104-bit WEP;
IV WEP per-packet initialization vector. 3 bytes;
assignment;
swap;
bitwise XOR;
for all;
i if and only if;
|| concatenation.
Indexing in arrays starts from 0, i.e. the rst element of S is S[0]. All for-
mulas are implicitly written modulo n, except for the values of probabilities.
In Sections 4 and 5 we present attacks on the 104-bit WEP, i.e. l = 16.
1
K

RC4
X

message
//

//
ciphertext
Figure 1: RC4 stream cipher.
2 RC4 Stream Cipher
Fig. 1 and Algorithms 1 and 2 illustrate the RC4 encryption.
Algorithm 1 RC4 key setup
1: S (0, 1, ..., 255)
2: j 0
3: for i 0 to 255 do
4: j j + S[i] + K[ i mod l ]
5: S[i] S[j]
6: end for
7: i 0
8: j 0
Algorithm 2 RC4 key stream generation
1: i i + 1
2: j j + S[i]
3: S[i] S[j]
4: return S[ S[i] + S[j] ]
3 Kleins Correlation in RC4
Throughout this section i is a positive integer less than n.
3.1 Kleins Theorem
We present a simplied version of [1, Theorem 1]. The theorem is relevant
not only to RC4, as it applies to permutations in general.
Theorem 1. Let S be a random permutation
1
of the numbers {0, ..., n1}.
1
S is random means that it is picked from the n! possible permutations such that the
probability of picking each one is 1/n!.
2
Then for all integers i, x, c {0, ..., n 1}, the following holds:
Pr ( S[ S[i] + x] + x = i ) =
2
n
, (1)
Pr ( S[ S[i] + x] + x = c ) =
n 2
n(n 1)
, where c = i. (2)
Proof. To show (1) we will count the total number of dierent permutations
S that satisfy the condition under the Pr sign. Consider the following two
disjoint cases:
Case 1:
S[i] = i x . (3)
It follows that i = S[i] + x and, substituting the index i in (3), we get
S[ S[i] + x] = i x. This is equivalent to condition (1), so we are only
left with one condition. (3) puts a restriction on one element S[i]. The
remaining n 1 elements can take any of the remaining n 1 values. Thus
the total number of permutations satisfying (3) is (n 1)!.
Case 2:
S[i] = i x . (4)
We now have two conditions that should be met simultaneously. Condi-
tion (1) leaves only one possibility for the element S[ S[i] + x], leaving the
remaining elements unrestricted. Because of (4), we have that S[i] + x = i,
so conditions (1) and (4) apply to elements with dierent indices. Condi-
tion (4) leaves n 1 possibilities for the value of S[i]. The remaining n 2
elements of S can take any of the remaining n 2 unused values. Thus
Case 2 incorporates a total of (n 1)(n 2)! = (n 1)! permutations.
We have shown that Cases 1 and 2 allow a total of 2(n1)! dierent per-
mutations. Since S is picked at random from n! possibilities, the probability
that we hit either of the two cases is
2(n 1)!
n!
=
2
n
,
which proves (1).
To show (2) we will again count possible permutations. We rst show
that (5) holds. Suppose the opposite is true: S[i] = i x. Then S[i] +x = i,
and, substituting the index in (2), we get that S[i] + x = c. But c = i, so
S[i] + x = i, what contradicts our assumption. Thus
S[i] = i x . (5)
Since S[i] + x = i, conditions (2) and (5) apply to elements with dierent
indices in S. Condition (2) leaves one possibility for the value of the element
S[ S[i] +x]. This value is c x, and it is dierent from i x, because c = i.
So when it comes to the element S[i], it cannot take the value cx because it
3
is already used, and cannot take the value i x because of the condition (5).
The element S[i] is only left with n 2 possibilities. The remaining n 2
elements can take any of the remaining n2 values. Thus the total number
of permutations satisfying (2) is (n2)(n2)!. This gives us the probability
(n 2)(n 2)!
n!
=
n 2
n(n 1)
.
3.2 Equation (10)
Observe that in Lines 4 and 5 of Algorithm 1 the current round number is
i + 1. Thus we can write
j
i+1
= j
i
+ S
i
[i] + K[ i mod l ] , (6)
S
i+1
[i] = S
i
[j
i+1
] . (7)
After substituting j
i+1
in (7) with the value from (6) we get
S
i+1
[i]
. .. .
h
= S
i
[ j
i
+ S
i
[i] + K[ i mod l ]
. .. .
g
] . (8)
Now denote g and h as pictured in (8). Since permutations are invertible,
we have that
S[g] = h i S
1
[h] = g , (9)
so we can rewrite (8) as
S
1
i
[ S
i+1
[i] ] = j
i
+ S
i
[i] + K[ i mod l ] ,
or
K[ i mod l ] = S
1
i
[ S
i+1
[i] ] (j
i
+ S
i
[i]) . (10)
3.3 Equation (13)
Observe from Line 4 of Algorithm 2 that after a round number i + n the
following holds:
S
i+n
[ S
i+n
[i] + S
i+n
[j
i+n
] ] = X[i 1] . (11)
In (1) choose S to be S
i+n
and x to be S
i+n
[j
i+n
]. Theorem 1 implies that
Pr ( S
i+n
[ S
i+n
[i] + S
i+n
[j
i+n
] ] + S
i+n
[j
i+n
] = i ) =
2
n
. (12)
Combining (11) and (12) we get
Pr( S
i+n
[j
i+n
]
. .. .

= i X[i 1]
. .. .

) =
2
n
. (13)
4
3.4 Equation (16)
We now use (2) substituting, as before, S with S
i+n
and x with S
i+n
[j
i+n
]:
c = i, Pr ( S
i+n
[ S
i+n
[i] + S
i+n
[j
i+n
] ] + S
i+n
[j
i+n
] = c ) =
n 2
n(n 1)
(14)
Combining (11) and (14) we get
c = i, Pr ( X[i 1] + S
i+n
[j
i+n
] = c ) =
n 2
n(n 1)
.
Now add i to each side and rearrange the terms:
c = i, Pr ( S
i+n
[j
i+n
] c + i = i X[i 1] ) =
n 2
n(n 1)
. (15)
After denoting
= S
i+n
[j
i+n
] c + i ,
we notice that c = i i c = S
i+n
[j
i+n
] + i = i i = S
i+n
[j
i+n
], and
thus (15) can be written as
= S
i+n
[j
i+n
]
. .. .

, Pr( i X[i 1]
. .. .

= ) =
n 2
n(n 1)
. (16)
3.5 Equation (20)
Consider Algorithm 1 where Line 4 is replaced with
j rand(n) . (17)
This is a rude approximation
2
of the original algorithm, but it will let us
derive some important probability estimates. On each round of this modied
key setup algorithm, S[i] is swapped with an element S[j], where j is now
random. In particular, during the round number i + 2, the probability of
the event j = i equals 1/n, and so the probability that j = i is 1 1/n.
Thus S
i+1
[i] stays unchanged during the (i + 2)nd round with probability
1 1/n. We write this fact as
Pr ( S
i+1
[i] = S
i+2
[i] ) = 1
1
n
.
The same reasoning applies to subsequent rounds, i.e. the probability that
S
i+1
[i] stays unchanged during the next k rounds is (1 1/n)
k
, k < n i.
2
If the key K consisted of n independent random bytes, this approximation would be
precise in terms of probability distributions. But since l < n, we should expect some im-
precision in nal results, which will show through an increased number of packets required
for the WEP attack in practice.
5
Moreover, if we replace Line 2 of Algorithm 2 with (17), our result generalizes
to any number of rounds. Using k = n 2, we can write
Pr ( S
i+1
[i] = S
i+n1
[i] ) =

1
1
n

n2
. (18)
Now observe from Line 3 of Algorithm 2 that
S
i+n
[j
i+n
] = S
i+n1
[i] . (19)
Substituting S
i+n1
[i] in (18) with the value from (19) we get
Pr( S
i+1
[i]
. .. .

= S
i+n
[j
i+n
]
. .. .

) =

1
1
n

n2
. (20)
3.6 Equation (22)
Lemma 1. If
Pr( = ) = p
1
,
Pr( = ) = p
2
,
= , Pr( = ) = p
3
,
then
Pr( = ) = p
1
p
2
+ (1 p
1
)p
3
.
Proof. Consider two cases:
Case 1: = . We nd that Pr( = ) = Pr( = ) = p
2
.
Case 2: = . If we now let = , what is allowed since = , we see
that Pr( = ) = Pr( = ) = p
3
.
Since Case 1 happens with probability p
1
, and Case 2 with probability
(1 p
1
), we get that Pr( = ) = p
1
p
2
+ (1 p
1
)p
3
.
The result of Lemma 1 applies to Equations (13), (16) and (20) with the
notation for , , and introduced in these equations. It follows that
Pr( S
i+1
[i] = iX[i1] ) =

1
1
n

n2
2
n
+

1
1
n

n2

n 2
n(n 1)
.
If we use n = 256, the last formula approximates to 0.0053 1.36/n. Thus
we have that
Pr( S
i+1
[i] = i X[i 1] )
1.36
n
. (21)
6
Consider (10) that holds unconditionally, and replace the term S
i+1
[i] with
the value from (21). Since the equality under the Pr sign in (21) holds with
the given probability, we can write
Pr

K[ i mod l ] = S
1
i
[ i X[i 1] ] (S
i
[i] + j
i
)

1.36
n
. (22)
Note that, according to Algorithm 1, for i < l, the key bytes K[0],
K[1], ..., K[i 1] completely determine the permutation S
i
. Therefore
(22) expresses the dependency between the i-th key byte, the i preceding
key bytes and the (i 1)st key stream byte. We see a severe probability
deviation from the mean value 1/n. This fact will be used in our attack to
obtain information about the value of the key byte K[i].
4 Kleins Attack on WEP
The payload eld in the 802.11 data frames MAC protocol data unit (MPDU)
consists of:
IV, padding, Rk s ID,
. .. .
plaintext
data, ICV
. .. .
encrypted
,
where IV is a 3-byte initialization vector, Rks ID is a 2-bit root key identier
and ICV is the integrity check value. The data eld carries packets from
higher layers. The encryption is performed by RC4 using the key
K = IV|| Rk .
Note that the secret root key Rk is prepent with an IV, which is transmitted
over the air in clear text. The IV is dierent for each packet (which is not
always true in practice).
Assume we have captured a packet where we know the rst 15 bytes of
the data eld in clear text
3
. We compute 15 bytes of the RC4 key stream
as follows (see also Fig. 1):
X[i] = ciphertext[i] data[i] , i {0, 1, ..., 14} .
Since we know the value of IV = (K[0], K[1], K[2]), we can run the rst
three rounds of the RC4 key setup algorithm, and thus obtain S
3
and j
3
.
From S
3
it is also straightforward to compute S
1
3
using (9). Now write (22)
for i = 3:
Pr( K[3] = S
1
3
[ 3 X[2] ] (S
3
[3] + j
3
)
. .. .
k
0
)
1.36
n
.
3
To recover a 13-byte Rk we do not actually need the rst 2 bytes, but only need the
following 13 bytes of the data.
7
We compute the value k
0
and store it as a candidate for Rk[0]. Note that
with a rather high probability 11.36/n, the byte Rk[0] can have a value dif-
ferent from k
0
. Thus we need to collect more evidence about Rk[0]. Luckily,
this can be done using packets that are transmitted between the same sta-
tions (thus the same Rk
4
), but have dierent IVs. Each new IV provides us
with a new experiment outcome, whereas an observation of same IVs gives
no new information whatsoever, since same IVs yield identical three rst
rounds of the key setup Algorithm 1. When enough votes are collected,
we can choose the highest rated value of k
0
. Klein estimates the number of
unique IVs sucient to recover the byte Rk[0] to be 25000.
After choosing the most frequent k
0
, we let K[3] = k
0
, what allows us to
run the fourth round of the key setup algorithm for each given IV. Using the
same collection of captured packets we now carry out similar calculations for
the byte Rk[1]. By this approach we nd all the bytes of Rk and nally test
it by a trial decryption of some ciphertext for which we know the plaintext,
or a part of it.
In a case when too few unique IVs were used, the right candidate for
some Rk[i] might not be the most frequent one. Then we have to try the
second, third and so on, most frequent candidates for Rk[i], recomputing
the subsequent key bytes Rk[i + 1], ..., Rk[l 1] for each new Rk[i]. This
iterative try-and-fail process is repeated until the correct root key is found.
Note the high computational cost of correcting falsely guessed key bytes in
this approach.
5 PTW Improved Key Calculation
Tews, Weinmann and Pyshkin extend the Kleins attack such that it is
possible to compute key bytes independently of each other.
Consider Line 4 of Algorithm 1 during an (i + 3)rd round, for some
i n 3:
j
i+3
= j
i+2
+ S
i+2
[i + 2] + K[ i + 2 mod l ] . (23)
Similarly the (i + 2)nd round yields
j
i+2
= j
i+1
+ S
i+1
[i + 1] + K[ i + 1 mod l ] ,
and substituting j
i+2
in (23) gives
j
i+3
= j
i+1
+
i+2

m=i+1
S
m
[m] +
i+2

m=i+1
K[ m mod l ] .
4
We assume that the root key is not changed during the attack, what is very likely to
be true in practice.
8
After doing this substitution i 2 times we get
j
i+3
= j
3
+
i+2

m=3
S
m
[m] +
i+2

m=3
K[ m mod l ] . (24)
Now write (22) replacing i with i + 3:
Pr

K[ i + 3 mod l ] = S
1
i+3
[ i + 3 X[i + 2] ] (S
i+3
[i + 3] + j
i+3
)

1.36
n
,
and replace the rightmost term j
i+3
with the one from (24). After regrouping
of terms we get:
Pr(
i+3

m=3
K[ m mod l ]
. .. .

i
= S
1
i+3
[ i +3 X[i +2] ] (j
3
+
i+3

m=3
S
m
[m]) )
1.36
n
.
After denoting
i
as pictured above, the last equation becomes
Pr

i
= S
1
i+3
[ i + 3 X[i + 2] ] (j
3
+
i+3

m=3
S
m
[m])

1.36
n
. (25)
The right side of the equality under the Pr sign is dependent on the rst
i + 3 key setup rounds. The authors of the PTW attack note that with
a rather high probability elements in S that are used in this expression
stay unchanged since the third round of the key setup algorithm. Thus we
can replace them with the corresponding elements in S
3
and still have a
signicant probability deviation for small is [2, Equations 7 and 8)]:
Pr(
i
= S
1
3
[ i + 3 X[i + 2] ] (j
3
+
i+3

m=3
S
3
[m])
. .. .
A
i
) >
1
n
. (26)
The PTW attack proceeds as follows. For each captured packet we run
the rst three rounds of the RC4 key setup algorithm and compute the
values A
i
for all i {0, 1, ..., 12}. Every new IV yields new (possibly repeat-
ing) thirteen values A
i
. When a sucient number of packets is analysed,
we choose the most frequent candidates for A
i
s and assign them to the
variables
i
for all i {0, 1, ..., 12}. The root key bytes are then obtained
using
Rk[0] =
0
; Rk[i] =
i

i1
, i {1, ..., 12} .
The root key is then checked for correctness by a trial decryption. If it
is wrong, we choose less frequent candidates for
i
s and try again. As
compared to Kleins attack, this approach does not require recalculation of
statistics for rightmost key bytes every time we correct a falsely guessed
i
.
9
References
[1] Andreas Klein. Attacks on the RC4 stream cipher. Des. Codes Cryptog-
raphy, 48(3):269286, 2008.
[2] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin. Breaking 104
bit WEP in less than 60 seconds. In Sehun Kim, Moti Yung, and Hyung-
Woo Lee, editors, WISA, volume 4867 of Lecture Notes in Computer
Science, pages 188202. Springer, 2007.
10