NetStumbler.org Forums - View Single Post

KoreK · 09-28-2004

Nothing written on it (not much past the mathematical notations, it got stuck on some far away to-do list). It's an extension of the FMS/h1kari. Example (A_s13):
Attack on K[3] (ie fourth byte of the rc4 key, first wep byte)
You build your partial S, S_2, with K[0].K[1],K[2]. Suppose S_2[1]=3, and j[3] takes a value verifying S_2[j[3]]=0. The S_3 would satisfy the following: S_3[1]=3 and S_3[3]=0 (you exchanged j[3] and 3 in S_2). Now if j[4]...j[255] != 1,3, then S[1]=3, and S[3]=0.
Next you have to get the first output byte of the PRGA:
j[1]=S[1]=3
t[1]=S[1]+S[3]=3
swap S[1] and S[3] in S, so now S[1]=0, S[3]=3
first output byte is o[1]=S[t[1]]=S[3]=3

So if S_2[1]=3, S_2[j[3]]=0, then o[1]=3 with probability (around) exp(-2) (j[4],...,j[255] != 1,3).

Now you'll have to admit (it's a bit hairy) that for other values of j[3] the probability of o[1]=3 is roughly 1/256, and a bit of conditionnal probabilities, and the result is that if S_2[1]=3 and o[1]=3, then S_2[j[3]]=0, with probability (around) exp(-2).

Classic FMS, is given two conditions on S_2, extract the info from the PRGA byte. My extension is given two conditions, one on S_2, one on the PRGA byte, extract the info from S_2. You find them by fixing an S_2, and looking for values of j[3] that would determine one PRGA byte (take the example and suppose j[3]=1).

Correct me if I am wrong, memory is getting dusty on this one.

09-28-2004	#35 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Nothing written on it (not much past the mathematical notations, it got stuck on some far away to-do list). It's an extension of the FMS/h1kari. Example (A_s13): Attack on K[3] (ie fourth byte of the rc4 key, first wep byte) You build your partial S, S_2, with K[0].K[1],K[2]. Suppose S_2[1]=3, and j[3] takes a value verifying S_2[j[3]]=0. The S_3 would satisfy the following: S_3[1]=3 and S_3[3]=0 (you exchanged j[3] and 3 in S_2). Now if j[4]...j[255] != 1,3, then S[1]=3, and S[3]=0. Next you have to get the first output byte of the PRGA: j[1]=S[1]=3 t[1]=S[1]+S[3]=3 swap S[1] and S[3] in S, so now S[1]=0, S[3]=3 first output byte is o[1]=S[t[1]]=S[3]=3 So if S_2[1]=3, S_2[j[3]]=0, then o[1]=3 with probability (around) exp(-2) (j[4],...,j[255] != 1,3). Now you'll have to admit (it's a bit hairy) that for other values of j[3] the probability of o[1]=3 is roughly 1/256, and a bit of conditionnal probabilities, and the result is that if S_2[1]=3 and o[1]=3, then S_2[j[3]]=0, with probability (around) exp(-2). Classic FMS, is given two conditions on S_2, extract the info from the PRGA byte. My extension is given two conditions, one on S_2, one on the PRGA byte, extract the info from S_2. You find them by fixing an S_2, and looking for values of j[3] that would determine one PRGA byte (take the example and suppose j[3]=1). Correct me if I am wrong, memory is getting dusty on this one.