Quote:
|
Originally Posted by devine
Well honestly I don't really understand all those new WEP statistical attacks  |
There are two main results in my work:
1) The 13% iv class
2) The "late resolve" cases.
I will illustrate #1:
Review from FMS:
================
X = S[1]
Y = S[X]
Z = S[ X + Y ]
Resolved cases where B is the key byte we are attacking:
X < B + 3
X + Y = B + 3
Assume we are attacking the first key byte [B = 0].
X, Y and Z are 3 distinct values... so 5% probability they all don't swap.
To get 13%, we need to have only 2 distinct values...
2 values must overlap!
13% probability:
================
X is fixed... always S[1].
Z is "fixed" too we always want it to point to S[3] [attacking first key byte].
The only way to get 2 distinct values is to have Y and Z point at the same
element. This means Y has to point at S[3] as well.
The only way to do that is having S[1] contain 3.
Thus, X = 3.
To get Z to point to 3, we have S[3 + Y]. So Y has to be 0. Y and Z point at the same place S[3], and need to contain the value 0.
Notice that this modifies the FMS equation to
X <= B + 3
Where X = B + 3 is the special case for 13% weak ivs.
Example:
========
run:
sorwep -k 68:9a:01:61:61:61:61:61 -d 3
it will debug the key 61:61:61:61:61 with IV 68:9a:01
concentrating on seed byte 3 [the first key byte].
This is the KSA state [after the swap]:
I=02 J=06 S[i]=06 S[J]=02 S[byte]=01 X=03 Y=01 X+Y=04 Z=04
I=03 J=68 S[i]=00 S[J]=01 S[byte]=00 X=03 Y=00 X+Y=03 Z=00
I=ff J=2a S[i]=f2 S[J]=04 S[byte]=00 X=03 Y=00 X+Y=03 Z=00
In normal conditions, we obviously know the state up to I=02... which is enough.
Notice the key setup at the end:
X=03 Z=Y=0
Just what we wanted.
However the first output byte of PRGA is:
Output of prga before xor 03
We would have expected the output to be 00!
Recall PRGA:
i = i + 1
j = j + S[i]
Swap(S[i], S[j])
Output z = S[S[i] + S[j]]
This means:
i = 1
j = 3
S[i] = S[1] = 3 [this is X]
S[j] = S[3] = 0 [this is Y... but also Z]
notice the swap!!!
the new state will be
S[1] = 0, S[3] = 3
z = S[0+3] = S[3] = 3
To calculate the key using the FMS method, simply assume Z is 0.
How to detect:
==============
The basic way of detecting all this is:
The output of PRGA is the seed byte we are attacking [for example 3].
And X = seed byte we are attacking.
Basically:
if(X == Z && Z == key_byte_we_are_attacking)
Remeber to use Z = 0 when calculating the key with the FMS method.
If anyone is interested, i can explain more of my results [too bad it was about a year ago so stuff isn't fresh in my mind ;D ].