Subject: Re: CVS commit: syssrc
To: Michael Graff <explorer@flame.org>
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
List: tech-net
Date: 02/04/2000 09:15:15
[moved from source-changes to tech-net..]

> It claims to be using rc4 with 128 bits.  I just can't discover where
> the other bits are coming from.

It's probably doing something similar to the 40-bit WEP (which uses a
64-bit per-packet key, of which 40 bits are the LAN's shared secret
and 24 bits are a per-packet sequence number (which are logically
equivalent to an initialization vector with chained block ciphers like
DES-CBC mode).  I haven't seen the 128-bit WEP specs, but I hope it's
using a significantly larger per-packet sequence value (and I also
hope this value is carefully chosen to minimise repeats..).. because
if not, the 128-bit crypto is no stronger than the 40-bit crypto to an
exhaustive keystream recovery attack..

RC4 is a stream cipher: it generates a pseudorandom keystream using
the key as the "seed" to the RNG, which you then XOR with the data you
want to encrypt.

If you use the same keystream for multiple packets, you have the "two
time pad" problem -- if you can make reasonable guesses about likely
plaintext contents, it becomes relatively simple to recover the
original traffic and the keystream.  

In the exportable mode, WEP attempts to deal with this by using a
24-bit per-packet sequence number which is combined with the fixed
40-bit key, to generate a "new" keystream for each packet.

Now, you don't have to recover the actual RC4 key if you can recover a
meaningful fraction of all 2**24 keystreams for a given key.  

WEP keys are painful to change -- every node in the wireless LAN has
to have the same key loaded into it -- so chances are they won't be
changed often, if ever.

In a LAN environment, 2**24 packets isn't a lot -- it's about 24
gigabytes of data (assuming 1500-byte packets).  That would fit
comfortably in about two or three laptop-sized hard drives these
days..

If the LAN is connected to the Internet, the attacker can likely
inject packets containg that much known plaintext over the course of a
week or two without someone noticing, while, at the same time,
harvesting traffic for future analysis; once the keystreams are
recovered, real-time decryption should be possible..

If you were on a tight budget, I suspect this sort of attack could be
carried out with under $2k of off-the-shelf hardware and a bit of
clever programming.  Additional money would let you do a laptop-based
system which would be that much easier to conceal..

					- Bill