Paper 2015/254

Tornado Attack on RC4 with Applications to WEP and WPA

Pouyan Sepehrdad, Petr Susil, Serge Vaudenay, and Martin Vuagnoux

Abstract

In this paper, we construct several tools for building and manipulating pools of statistical correlations in the analysis of RC4. We develop a theory to analyze these correlations in an optimized manner. We leverage this theory to mount several attacks on IEEE 802.11 wireless communication protocols WEP and WPA. Based on several partial temporary key recovery attacks, we recover the full 128-bit temporary key of WPA by using $2^{42}$ packets. It works with complexity $2^{96}$. Then, we describe a distinguisher for WPA with complexity $2^{42}$ and advantage 0.5 which uses $2^{42}$ packets. Moreover, we report extremely fast and optimized active and passive attacks against WEP. This was achieved through an extensive amount of theoretical and experimental analysis (capturing WiFi packets), refinement and optimization of all the former known attacks and methodologies against RC4. Our theory is supported and verified by a patch on top of Aircrack-ng. Our new attack improves its success probability drastically. Our active attack, based on ARP injection, requires 22500 packets to gain success probability of 50\% against a 104-bit WEP key, using Aircrack-ng in non-interactive mode. It runs in less than 5 seconds on an off-the-shelf PC. Using the same number of packets, Aicrack-ng yields around 3\% success rate. Furthermore, we describe very fast passive only attacks by eavesdropping TCP/IPv4 packets in a WiFi communication. Our passive attack requires 27500 packets. This is much less than the number of packets Aircrack-ng requires in active mode (around 37500), which is a significant improvement. We believe that our analysis brings on further insight to the security of RC4.

Note: The editorial quality of the paper was improved, and the background was updated with new literature results.