# Finding WEP key by capturing WEP messages question

## Recommended Posts

Hello,

I have a technical question concerning WEP cracking. When tools like aircrack scan the wireless WEP networks and gather thousands of messages from the network, how do they actually find the WEP key. Do they just use pairs of messages encrypted with the same initialisation vectors (IV). What is exactly the logical operation they are doing?

As far as I know an encrypted message will be:

C = [ M || ICV(M) ] + [ RC4(K || IV) ]

where M is a message, ICV(M) an integrity check, k the WEP key and IV an initialisation vector which is transmitted also in clear.

If I get two messages encrypted with the same IV but with different contents I will have:

C1 = [ M1 || ICV(M1) ] + [ RC4(K || IV) ]

C2 = [ M2 || ICV(M2) ] + [ RC4(K || IV) ]

What are these tools doing exactly to recover K?

Thanks very much!
c.

##### Share on other sites

Thanks so much, Cooper. In the link you are providing says:

>"This allows an attacker to collect two ciphertexts that are encrypted with the same key stream and perform statistical attacks to recover the plaintext."

I would like to know which are these "statistical attacks". Additionally, these techiniques seem to be to recover plaintexts but I am interested in knowing how the key is recovered, not how the plaintexts are recovered!

If I know the plaintext I could xor the plaintext and its text encrypted:

C1 + M1 || ICV(M1) = [ M1 || ICV(M1) ] + [ RC4(K || IV) ] + M1 = RC4(K || IV)

I can not infer K from RC4(K || IV), right? I am missing something?

Thanks so much

Carlos

##### Share on other sites

Since the plaintext is XORed with the key, wouldn't having the plaintext and the encrypted plaintext mean you als have the key?

I think the point they're also making is that during the connection phase between a client and an AP, the packets being transmitted are in part protocol-specified and, thus either constant or predictable. That means that if you were to deauth everybody you'd see a lot of traffic between the AP and its clients trying to reconnect. And all this traffic is predictable in nature so it can tell you a lot about the key used since the IV has a high reuse potential.

Based on my admittedly very limited understanding of the math here, what you're doing is trying to statistically determine IV so that RC4 (K || IV ) actually becomes RC4( X ) which is apparently a much less difficult problem to solve once you've looked at sufficient amounts of data.

Again though, this is not my field so don't go by my description here alone. There's ample opportunity for me to have gotten this completely wrong.

##### Share on other sites

>>>Since the plaintext is XORed with the key, wouldn't having the plaintext and the encrypted plaintext mean you als have the key?

>>>Based on my admittedly very limited understanding of the math here, what you're doing is trying to statistically determine IV so that RC4 (K || IV ) actually becomes RC4( X ) which is apparently a much less difficult problem to solve once >>>you've looked at sufficient amounts of data.

Having the plaintex means that you calculate its integrity ICV(M) and then calculate:

C1 + (M1 || ICV(M1)) = [ M1 || ICV(M1) ] + [ RC4(K || IV) ] + M1 = RC4(K || IV)

So you have at the end RC4(K || IV). In order to find the key you still need to test with all the different possible K's to obtain RC4(K || IV).

>>>I think the point they're also making is that during the connection phase between a client and an AP, the packets being transmitted are in part protocol-specified and, thus either constant or predictable. That means that if you were to >>>deauth everybody you'd see a lot of traffic between the AP and its clients trying to reconnect. And all this traffic is predictable in nature so it can tell you a lot about the key used since the IV has a high reuse potential.

What do you mean with "you a lot about the key". How exactly? Thanks so much!

>>>>Again though, this is not my field so don't go by my description here alone. There's ample opportunity for me to have gotten this completely wrong.

Thanks so much again for you reply!! I really apreciate it!! Perhaps someone else could help me with the math here!
C.

##### Share on other sites

From that original link I provided I found the reference to this PDF which seems to go into the math quite a bit more than I'm capable of.

http://www.isaac.cs.berkeley.edu/isaac/mobicom.pdf

##### Share on other sites

Thanks so much. I will have a look at it.

Cheers

C.

##### Share on other sites

Hello again,

In the article you are providing it is described how to decrypt messages, modify messages, inject messages, spoof messages, spoof authentication but no description whatsoever on how to obtain the key. Perhaps what I am missing is how to retrieve the key once you have obtained the WEP cyphertext:

RC4(K || IV)

First of all I think I am missing something important which probably is the key of it. In every WEP documentation it is explained that the Cypherstream is calculated:

RC4(k||IV). Where || is the concatenation operator.

But RC4 is a function which takes as arguments a plaintext and a key. RC4(M,k).

So hoy is it done exactly? RC4(k||IV, k)?

In this case obtaining the cyphertex RC4(k||IV, k) will be impossible to obtain the key from it!

I am a bit lost with this!

Thanks so much!
Carlos

##### Share on other sites

Good question.

I found this which basically says you can't get the key out even if you know the key stream. Maybe you should investigate those claims that some parts of WEP are implemented poorly or incorrectly which would result in the possible recovery of the key where this would otherwise not be feasible.

## Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

×   Pasted as rich text.   Paste as plain text instead

Only 75 emoji are allowed.

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×