NetStumbler.org Forums - View Single Post

01-05-2002

The fast part of the lab test was to gather enough weak packets to run a statistical analysis on them to determine the best value for the key. I can get a good number of packets in less than a day...a process which may take several days in a real world setting.

Unfortunately, it seems that running the crack to do that statistical analysis requires a significant amount of power if you don't have all the weak keys.

Anyway, here is the AirSnort theory on weak keys:

// --- Capture Details ---

Useful packets are those with the following property of their IV; the
first byte is a number three greater than one of the offsets of the
bytes of the key. For 128 bit encryption, this means a number from
3-16. The second byte must be 255 and the third byte can have any
value. This means that for every byte of the key, there are 256 weak
IVs.

When every weak IV has been gathered (13 key bytes * 256 = 3315
packets), there is no point to continuing the capture process. In
reality, it takes somewhat fewer packets than this.

// ---

Now, determining what weak keys have actually been gathered in the overall total is somewhat interesting because invariably many of them get repeated, and there is no need for dupes. I don't have all the values, though...as this sample happily shows:

Performing crack, keySize=128 bit, breadth=5
Key Byte 0: 174 samples
Key Byte 1: 146 samples
Key Byte 2: 169 samples
Key Byte 3: 160 samples
Key Byte 4: 165 samples
Key Byte 5: 164 samples
Key Byte 6: 161 samples
Key Byte 7: 148 samples
Key Byte 8: 162 samples
Key Byte 9: 154 samples
Key Byte 10: 170 samples
Key Byte 11: 161 samples
Key Byte 12: 150 samples
Check samples: 10

Once my GF heads home tomorrow, I'm intending to generate enough traffic over the next week such that I can get all the key bytes and then see how quickly a key can be obtained at that time.

The most promising aspect of this kind of discovery is that while the crack may work, the persistence required to pull off the captures and a successful crack may actually take a _lot_ more resources than originally anticipated.

-A.G.-

01-05-2002	#7 (permalink)
Posts: n/a	The fast part of the lab test was to gather enough weak packets to run a statistical analysis on them to determine the best value for the key. I can get a good number of packets in less than a day...a process which may take several days in a real world setting. Unfortunately, it seems that running the crack to do that statistical analysis requires a significant amount of power if you don't have all the weak keys. Anyway, here is the AirSnort theory on weak keys: // --- Capture Details --- Useful packets are those with the following property of their IV; the first byte is a number three greater than one of the offsets of the bytes of the key. For 128 bit encryption, this means a number from 3-16. The second byte must be 255 and the third byte can have any value. This means that for every byte of the key, there are 256 weak IVs. When every weak IV has been gathered (13 key bytes * 256 = 3315 packets), there is no point to continuing the capture process. In reality, it takes somewhat fewer packets than this. // --- Now, determining what weak keys have actually been gathered in the overall total is somewhat interesting because invariably many of them get repeated, and there is no need for dupes. I don't have all the values, though...as this sample happily shows: Performing crack, keySize=128 bit, breadth=5 Key Byte 0: 174 samples Key Byte 1: 146 samples Key Byte 2: 169 samples Key Byte 3: 160 samples Key Byte 4: 165 samples Key Byte 5: 164 samples Key Byte 6: 161 samples Key Byte 7: 148 samples Key Byte 8: 162 samples Key Byte 9: 154 samples Key Byte 10: 170 samples Key Byte 11: 161 samples Key Byte 12: 150 samples Check samples: 10 Once my GF heads home tomorrow, I'm intending to generate enough traffic over the next week such that I can get all the key bytes and then see how quickly a key can be obtained at that time. The most promising aspect of this kind of discovery is that while the crack may work, the persistence required to pull off the captures and a successful crack may actually take a _lot_ more resources than originally anticipated. -A.G.-